Network Segmentation Explained

Network segmentation is a crucial network security strategy used to enhance the overall security of a network. It is a process of splitting a network into smaller sub-networks, allowing administrators to apply specific security measures and controls to each segment. It divides a physical network into logical sub-networks and implements tailored security controls for each segment.

If a network keeps all resources in a single segment, the network becomes an easy target for hackers. A single security breach grants access to the entire network. Separation between different types of systems and environments is an essential requirement to enhance security. For example, a hotel that offers wireless access to its guests should ensure that the wireless network systems are isolated from the hotel’s corporate systems. You can do network segmentation in many ways. The most popular and widely used methods are the following.

Physical separation

Physical separation is the easiest method of network segmentation. It connects only the segments that need connectivity. For example, you have a network of ten computers. Of which, you need five computers in one segment and the remaining five in another segment. You do not need any form of connectivity between both segments. In this situation, you can use physical separation. Keep five computers in the first segmentation and the remaining five in the second. Do not create a physical connection between both segments.

physical separation

Subnetting

Subnetting is the most popular method of network segmentation. Unlike physical separation, which physically separates segments, it logically breaks the network. It uses the software address of devices to create a boundary between segments. Devices between different segments can not communicate directly. They can communicate only through a router. To allow communication between two segments, you must connect them via a router.

subnetting

VLANs

VLAN is another popular method of network segmentation. Unlike subnetting, which software addresses to break the network, it uses hardware addresses for network segmentation. All devices on a network need software and hardware addresses to communicate. VLANs use hardware addresses to create a boundary between segments. Devices in different VLANs cannot communicate directly. To allow communication between two VLANs, you must connect them via a router.

vlans

ACLs

An ACL (Access Control List) is an advanced method of network segmentation. It works on a router or switch. It contains a list of entries. Each entry consists of a hardware or software address and a specific action. When the router receives a data packet, it compares the address of the data packet with the ACL entries. If it finds a match, it takes the action specified in the entry.

acl

Firewalls

A firewall is another method of network segmentation. It works like an ACL, but it is more flexible than ACLs. It is available in two variations: hardware and software. A hardware firewall uses a dedicated device. A software firewall is an application. It installs and works just like other regular applications.

firewall

Virtualization

Virtualization is a new technology. It virtualizes all hardware. You can create a separate instance for each segment. Each instance works as a separate segment until you virtually connect it with others.

Benefits/advantages of network segmentation

Following are the benefits of network segmentation.

  • It adds security to the network. Since each segment works independently, a security breach affects only the segment where it occurs.
  • It makes management easy. An administrator needs to focus only on its assigned segment.
  • It makes troubleshooting simple. Since each segment works independently, you only need to troubleshoot the segment where the glitch occurs.

Requirement for network segmentation

Network segmentation is optional. If you have a small network and have no additional requirements, there is no need to use network segmentation. The following are some situations where you can benefit from network segmentation.

Legacy systems

If you have a legacy system running deprecated applications or protocols, you can put the legacy system in a separate segment. Developers do not provide security updates and patches for deprecated software. Keeping a legacy system with newer systems would lower the security of the newer systems. For example, if your network has a Windows 7 system running a legacy application, you can segment it from other systems.

Separating networks

Most attacks come from public networks. The Internet is the largest public network. If you do not use the Internet on some of your systems, you can segment them from other systems. It will reduce the chances of attacks from the Internet.

Honeypots

Companies use honeypots to trick hackers. A honeypot is a fake system designed to attract a hacker to attack it instead of attacking a production system. If you deploy a honeypot system, you can segment it from other production systems. It will ensure the hacker who tries to hack into the honeypot does not see the production system or network.

Testing Labs

Companies use testing labs to test their products before launching. Typically, they customize lab systems for ease of use and display maximum errors. For example, they may use the same password on all systems, lower security features, allow root login, etc. Since testing lab systems have fewer security features, companies segment testing labs from production systems.

Load balancing

You can use network segmentation for load balancing. For example, instead of running a service on a single server, you can place it on two or more servers and use segmentation to separate the traffic of each server. It will improve network performance as well.

Compliance

You can use network segmentation to comply with regulations or other requirements. For example, a company may not support its product unless you separate it from different types of systems. For example, PCI DSS (Payment Card Industry - Data Security Standard) requires isolating any system storing or processing credit card data on its own network segment.

Conclusion

In this tutorial, we discussed network segmentation and its types. We learned how network segmentation works and when it gives maximum benefits.

ComputerNetworkingNotes CCNA Study Guide Network Segmentation Explained