This blog entry is in light of the latest NSA/CISA (equivalent to GHCQ/NCSC) best practices network security hardening here, K8s cloud here
I diversify my firewalls with Cisco and Fortinet to increase security hardening, especially zero day vulnerabilities
Additionally, I have separate physical and logical vlans for WAN, DMZ and INTERNAL with two-tier I NGFW architecture with SEL zero trust.
Cisco 887 is the Parameter firewall with Zones, with customised parameter maps and FortiGate’s NAC sits behind it nicely, with APIs, webhooks. Both have separate monitoring tools and APs for additional wireless v6 capabilities.
I diverge from suggested best practice with managing the network. Only the external firewall can be accessed directly, with default SSH port 22 blocked and uses a high range custom rotary port on VTY to further evade attackers and so less utilisation is required to drop unwanted attempts.
What is your main concern for security? Is it costs, reliability, speed, easy to manage ?
Edit: IPv6 best practices were released in 2023 here