Skip to main content

3.3 Protecting Networks - Segmentation

Topic 3.3: Protecting Networks: Segmentation

Network segmentation is the practice of dividing a larger computer network into smaller, isolated subnetworks, or subnets. This architectural approach is a fundamental strategy for enhancing both network performance and security. By creating boundaries between different parts of the network, organizations can control the flow of traffic and contain the impact of a potential security breach.

Several techniques can be used to achieve network segmentation:

  • Screened Subnet (DMZ): A demilitarized zone (DMZ) is a network segment that is positioned between an organization's private internal network and an untrusted external network, such as the internet. It is created using firewalls to control traffic flow. The DMZ typically hosts an organization's public-facing services, like web and email servers. This setup allows external users to access these public services without being granted access to the sensitive internal network.
  • Subnetting: This is the process of dividing a network into multiple smaller subnets based on IP addressing. Each subnet operates as a distinct network, and traffic between subnets must typically pass through a router or firewall. This allows for the application of different security policies to each subnet and helps to contain a breach. If a device on one subnet is compromised, the segmentation can prevent the adversary from easily moving to devices on other subnets.
  • Virtual LANs (VLANs): VLANs provide a way to logically group devices together, even if they are physically connected to different switches. A switch can be configured to assign different ports to different VLANs, effectively creating separate broadcast domains. This isolates traffic at Layer 2, meaning that devices in one VLAN cannot directly communicate with devices in another VLAN without the traffic being routed between them, typically through a firewall.

Network segmentation significantly increases security by isolating network traffic. This isolation is crucial for containing security incidents. For example, if a malware infection occurs on a workstation in a user-VLAN, segmentation can prevent it from spreading to critical servers located in a separate server-VLAN.

Furthermore, segmentation allows for the implementation of more granular security policies. Different network segments can be assigned different levels of trust and security controls. A research and development network, for instance, can be placed in a highly secure zone with strict access controls, while a guest network can be completely isolated from all internal resources.

On a more granular level, security can be enhanced at the switch level using port security. This feature can be configured on a switch to limit the number of MAC addresses that are allowed to connect to a specific port. If an unauthorized device is connected, or if an attacker attempts a MAC flooding attack by sending frames from many different MAC addresses, port security can shut down the port, preventing the attack and alerting administrators to the suspicious activity.