An organization that runs several container-based services wants to minimize spread from compromised workloads and restrict traffic across services. Which design approach aligns most with this objective?
Place detection sensors at the network boundary to flag and block suspicious behavior
Use a single flat network for containers along with a perimeter filter capturing cross-traffic logs
Forward all container traffic to a unified router that performs NAT and logs activity
Establish unique segments for each service, assigning rules that prevent cross-traffic unless explicitly required
Separating container-based workloads into distinct segments with fine-grained policies helps reduce sideways movement, a core principle of zero trust. Single-network or perimeter-focused solutions do not effectively isolate workloads nor limit cross-service traffic. Blocking suspicious behavior at a boundary or relying on network address translation without segmentation does not curtail the spread of threats when a workload is compromised.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'segmentation' mean in the context of network security?
Open an interactive chat with Bash
What is 'lateral movement' and why is it important to prevent it in containerized environments?
Open an interactive chat with Bash
What is zero trust and how does it apply to container security?