You're assessing and hardening network segmentation for a property management company in Doha, Qatar — 12 buildings with tenant Wi-Fi, building management systems, CCTV, and access control all sharing network infrastructure.
The discipline skills: designing network segmentation zones based on trust and function, implementing default-deny firewall rules with iptables, building defense-in-depth across network, application, and identity layers, and verifying segmentation by scanning from inside each zone to prove boundaries hold.
The AI-direction lesson: you are testing your own designs, not just AI's code. AI will generate a segmentation architecture and firewall rules that look comprehensive on paper. The question is whether they actually stop the lateral movement techniques you already know how to use. AI defaults to allow-everything-then-block — the opposite of default-deny. It will produce firewall rules that exist in configuration but don't hold up when you scan from the attacker's position. The shift here is from verifying AI's output against provided targets to verifying AI's architectural decisions against your own offensive experience.
Your Role
You are designing the controls that would have stopped the attacks you've practiced in previous projects — and verifying them by attempting the same techniques against your own architecture. This is defense-focused work.
Templates and guides give you structure for the assessment and segmentation design. You are making architectural decisions about which systems belong in which zones and which traffic flows between them.
What's New
Last time you assessed a dual-surface platform, ran vulnerability scanners, exploited APIs, applied CIS Benchmarks, and authored a STRIDE threat model from scratch. You triaged automated findings against manual verification and wrote prevention-plus-detection pairings.
Network segmentation. Dividing a flat network into isolated zones based on trust and function. A tenant's compromised laptop should not be able to reach the building management system that controls fire suppression. The segmentation must be tested from the attacker's position — not by reading the firewall configuration, but by scanning from inside each zone to prove the boundaries hold.
Defense-in-depth. Controls at multiple layers so that failure at one layer does not mean failure everywhere. Network segmentation prevents lateral movement. Application authentication prevents unauthorized access. Monitoring detects what prevention misses. Each layer addresses a different failure scenario.
Default-deny firewall design. Start with nothing allowed. Add only the specific connections with a documented business justification. AI defaults to the opposite approach — allow everything, then try to block the bad things. The difference matters.
The hard part: you are testing your own work. The same lateral movement techniques you used in previous projects become your verification method. If your segmentation does not stop what you already know how to do, it does not work.
Tools
- Nmap — scanning from the attacker's position to verify segmentation. Continuing.
- Metasploit — lateral movement testing against your own segmentation. Continuing.
- Docker — multi-network container architecture simulating building infrastructure. Continuing with new network configurations.
- Grafana/Loki/Alloy — monitoring and detection across network segments. Continuing.
- Sigma — detection rules for lateral movement attempts. Continuing.
- iptables — firewall rule implementation. New at this level of detail.
- Claude Code — AI agent directing assessment, hardening, and documentation.
- Git/GitHub — version control and project submission.
Materials
- Scope document — assessment boundaries for all 12 buildings, rules of engagement, timeline, and points of contact.
- Network assessment guide — structured approach for connectivity testing, matrix template, and findings classification.
- Segmentation design template — zone definitions, traffic policy matrix, implementation checklist, and verification criteria.
- Docker environment — multi-building network with tenant Wi-Fi, BMS, CCTV, and access control containers, plus the monitoring stack.