100%
GRIMOIRE
GrimoireDindon CorpusSynthesis VolumesThe Foundation of Iron
FRENAR
RATIO
THE FOUNDATION OF IRON · COURSE MATERIAL · WEEK 26
◆◆◆
NETWORK SECURITY
SYNTHESIS AND FINAL DEFENCE
Week 26 of 26 · Block 10 — Programme Close
6h theory · 29h practice
◆ FINAL WEEK OBJECTIVES

1. Implement network ACLs and a basic perimeter firewall
2. Carry out an end-to-end security audit on the full infrastructure
3. Synthesise the 25 weeks into a coherent enterprise architecture
4. Present and defend the full programme in a final defence
5. Identify personal progression paths and target certifications

◆◆◆
⚠ WARNING — SHELF LIFE OF VERSIONS REFERENCED HERE

Firewall and network ACL tools and syntax evolve with system and equipment versions. The network security principles presented here are stable; the instructor adapts specific commands to the environment available at the time of delivery.

Amine RAITI · Infrastructure Architect & SRE
Public document · CC BY-NC-SA 4.0 · AI Powered by Amine
Opération Dindon
RATIO
COURSE OUTLINE · 6H
THEORY GUIDING THREAD
26.1 · Network ACLs and perimeter filtering3h
— ACL (Access Control List): a set of filtering rules applied to network traffic on a router or firewall
— ACL logic: each rule defines a criterion (source, destination, port, protocol) and an action (allow or deny) — direct link with the Boolean logic from Week 3
— Rule order: the first matching rule applies, the rest are ignored — order matters
— Perimeter firewall vs host firewall (Week 15): the former filters traffic between network zones, the latter protects a single system
26.2 · Network security zones2h
— DMZ (demilitarised zone): intermediate zone for servers exposed to the internet (Week 24 web server) — neither fully inside nor fully outside
— Internal network: private infrastructure (AD Week 22, servers Weeks 8-15)
— General principle: filter inbound traffic, control outbound, log what is denied
26.3 · End-to-end security audit1h
— Audit method: asset inventory → access check → update check → log check → report
— This week is the first opportunity to see the infrastructure as a whole and identify inconsistencies across weeks
RATIO
EXERCISE 1 · NETWORK ACLs AND END-TO-END SECURITY AUDIT · 14H

Equipment: the full infrastructure from previous weeks (hypervisor, Linux and Windows VMs, AD, DNS, DHCP, web, database, VLANs), network simulator for ACLs.

(3h) Configuring network ACLs in the simulator (provided topology): allow outbound HTTP/HTTPS traffic from the internal network, deny all direct traffic from the internet to internal servers, allow only the web server (DMZ) to be reachable from the internet on ports 80 and 443.
(3h) Testing the ACLs: generate test traffic in both directions (allowed and denied), check the filtering logs, adjust rules in case of unexpected behaviour.
(4h) End-to-end security audit on the real infrastructure: inventory of all services exposed on each VM, update check (Linux and Windows), active user account check (domain and local), host firewall rules check on each machine, backup policy check (are all machines backed up?).
(2h) Writing the audit report: list of identified vulnerabilities classified by criticality (high, medium, low), corrective recommendations for each.
(2h) Fixing the high-criticality vulnerabilities identified during the audit — demonstrating that an audit is only useful if followed by concrete action.
SOLUTION — EXERCISE 1

Expected audit report structure: for each vulnerability — affected system, problem description, criticality level, potential impact, precise corrective recommendation. An audit report without a concrete recommendation is useless.

Typical vulnerabilities to find in the training infrastructure: SSH still on the default port if missed in Week 15, missing updates on a VM not touched for several weeks, local administrator account with a weak password on a machine not joined to the domain, database server (Week 25) with its port accessible from outside the internal network.

RATIO
EXERCISE 2 · FINAL SYNTHESIS PROJECT — COMPLETE ENTERPRISE ARCHITECTURE · 15H

Brief: the trainee produces the technical dossier of a complete fictitious enterprise infrastructure, building on all 25 previous weeks. This dossier is the centrepiece of the final defence.

(3h) Global architecture diagram: representing the full deployed infrastructure (physical and logical) — network layers (VLANs, routing, firewall), virtualisation layer, OS layer (Linux and Windows Server), services layer (AD, DNS, DHCP, web, database).
(3h) Security dossier: summary of applied measures (OS hardening Week 15, network segmentation Week 18, ACLs Week 26, password policy GPO Week 23), audit report (Exercise 1), remediation plan.
(3h) Continuity plan: complete backup strategy (which machines, what frequency, what retention, what RTO/RPO), HA cluster configured, restoration procedure tested.
(3h) Programme review: a personal table listing acquired skills, identified gaps, topics to go deeper on, target certifications matched to the built profile.
(3h) Preparing the defence: writing presentation materials, rehearsal, identifying 3 strengths and 3 areas for improvement in one's architecture.
FINAL PROJECT ASSESSMENT GRID

Criterion 1 — Architecture completeness (25%): all components are present, operational and documented — from the physical layer (Week 6) up to the application services (Weeks 24-25).

Criterion 2 — Coherence and integration (25%): components articulate logically — DNS (Week 21) feeds AD (Week 22), VLANs (Week 18) align with GPOs (Week 23), backups (Week 14) cover all critical VMs.

Criterion 3 — Applied security (25%): Week 15 and Week 26 principles are genuinely implemented, not just mentioned — the audit report proves actual verification.

Criterion 4 — Critical perspective (25%): the trainee accurately identifies what works, what is missing, and what they would do differently with more time or resources.

RATIO
FINAL DEFENCE · 26-WEEK PROGRAMME

Format: 30 minutes of presentation + 15 minutes of questions per trainee. The defence covers the full programme — from electricity (Week 1) to network security (Week 26).

(10 min) Presenting the complete architecture: annotated global diagram, justification of structural choices — why this VLAN here, why that server there, why this service sequencing.
(10 min) Live demonstration: 4 features of the trainee's choice representing 4 different blocks — at minimum one networking demo, one OS demo, one service demo (AD, web or database), one security demo.
(10 min) Personal review: what was difficult, what is now mastered, honestly identified gaps, planned certifications and why they match the built profile.
(15 min) Jury questions: the instructor explores grey areas — technical decisions the trainee did not have time to justify, unexpected failure scenarios, edge cases of the architecture.
NOTE FOR THE INSTRUCTOR — CONDUCTING THE FINAL DEFENCE

Discriminating questions: "If your single domain controller fails at 8am on a Monday morning, what happens to the 50 users arriving at the office?"; "Your web server now serves personal data — what are the first three security measures you would add?"; "A colleague tells you ping no longer works between two VMs — where do you start?"

What this defence validates: not memorising commands — that is available to anyone with a search engine. What it validates is the ability to reason about a complex system, identify the relevant layer, propose a structured diagnostic method, and make justified decisions under uncertainty.

◆ FULL PROGRAMME REVIEW — THE 9 BRICKS OF THE FOUNDATION OF IRON
Brick 1 — Electricity and physics (W1): voltage, current, power — the foundation of everything.
Brick 2 — Digital and logic (W2-W3): binary, octal, hexadecimal, Boolean algebra.
Brick 3 — Physical automation (W4-W5): microcontroller, sensors, actuators, integrating project.
Brick 4 — Microcomputing and storage (W6-W7): PC/server hardware, BIOS/UEFI, filesystems, RAID, disk images.
Brick 5 — Bare metal OS (W8-W16): Linux (W8-W10), Windows Server (W11-W12), virtualisation (W13), HA/backup (W14), OS security (W15), mid-programme defence (W16).
Brick 6 — Foundational networking (W17-W19): OSI, addressing, switching, VLANs, routing.
Brick 7 — Network services (W20-W21): DHCP, DNS — automatic naming and addressing infrastructure.
Brick 8 — Enterprise services (W22-W25): Active Directory, GPO, HTTPS web server, relational database.
Brick 9 — Network security and synthesis (W26): ACLs, perimeter firewall, audit, complete architecture, final defence.