An organization that runs several container-based services wants to minimize spread from compromised workloads and restrict traffic across services. Which design approach aligns most with this objective?
Establish unique segments for each service, assigning rules that prevent cross-traffic unless explicitly required
Place detection sensors at the network boundary to flag and block suspicious behavior
Forward all container traffic to a unified router that performs NAT and logs activity
Use a single flat network for containers along with a perimeter filter capturing cross-traffic logs
Separating container-based workloads into distinct segments with fine-grained policies helps reduce sideways movement, a core principle of zero trust. Single-network or perimeter-focused solutions do not effectively isolate workloads nor limit cross-service traffic. Blocking suspicious behavior at a boundary or relying on network address translation without segmentation does not curtail the spread of threats when a workload is compromised.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is zero trust in network design?
Open an interactive chat with Bash
What is micro-segmentation, and how does it enhance security?
Open an interactive chat with Bash
Why is a flat network design not ideal for container security?