Protection Strategies — Overview¶

Protection strategies are policy models designed to meet regulatory and security compliance requirements; they can be applied consistently across applications and network zones to reduce risk while keeping operations stable.

This section groups strategies into three families:

• Intrazone / East–West Protection — control lateral movement inside a bounded network zone (DMZ / subnets).
• Blacklist strategies — keep Default ALLOW, but DENY only a small set of risky ports/paths.
• Fine-grained strategies — move toward explicit control across application boundaries (Ingress + Egress), with a scalable least-privilege model.

Quick selection guide¶

Choose Intrazone when…¶

• You have a well-defined network zone (DMZ / one or more subnets).
• You want strong containment of East/West traffic inside that zone.
• North/South continues to be handled primarily by a perimeter firewall.

Choose Blacklist when…¶

• You need fast risk reduction with minimal change.
• You want to block common pivot paths (admin ports, dangerous ports) while keeping most traffic unchanged.
• You are not ready yet to operate a full allow-list posture.

Choose Fine-grained when…¶

• You want explicit, auditable dependencies between applications.
• You want to control Ingress + Egress between applicative bubbles.
• You want a clean foundation for least privilege at scale.

At a glance¶

Recommended progression (practical rollout)¶

1. Blacklist (quick wins with minimal disruption)
2. Intrazone (contain lateral movement inside sensitive zones)
3. Fine-grained (least-privilege across application boundaries)

Pages in this section¶

• Intrazone (variants)
• Blacklist (Admin Ports / Dangerous Ports)
• Fine-grained (IN/OUT)