Network segmentation can provide significant security benefits. In this video, you’ll learn about physical segmentation, logical segmentation, and the use of DMZs.
<< Previous Video: Switch Port Protection Next: Network Troubleshooting Methodology >>
When someone is talking about segmenting the network, they’re usually talking about segmenting things into separate devices or perhaps separate VLANs or virtual networks. We might want to do this for performance reasons. If we can separate the network into smaller pieces, we may have the opportunity to increase the throughput of certain servers and other devices.
There may also be a good security reason to keep the network segmented. For example, you might want to be sure that certain users aren’t able to communicate to certain servers. Or maybe certain applications should only communicate to each other, so we can segment those so that no other devices would be on that network. Or this might be a compliance issue. You may want to be sure that credit card information or health care information is segmented from other parts of the network.
With physical segmentation, we have completely separate devices– for example, switch A and switch B. These are physically separate devices. And they are not connected to each other. The only way that these two devices would be able to communicate to each other is if you did connect them together in some way, either directly to each other through another switch or through a router.
You might use physical segmentation to completely separate devices from each other. For example, you may have all of your web servers in one rack and all of your database servers in another. And both of those are communicating on their own switches.
This physical segmentation may also be based on the applications you’re using. For example, you may have all of the application A servers segmented in their own rack with their own switch and then have all of your application B servers segmented in a completely different rack with a completely different switch.
Or this might help you keep customer information separated. You might have all of the customer A information on one physical switch and all of the customer B servers and information on a physically separate switch. Here’s an example of physically separating the switches for customer A and customer B. You can see the customer A services are on their own physical switch. And customer B is on their own physical switch. And there’s no connection between either of those different networks. This means for every single customer that we have, we may have to put a completely separate physical switch in our rack. So we may need to build out a separate infrastructure every time we bring in a new customer.
One of the things you’ll also notice about this is that customer A has 2 devices, but has a 24-port switch. Customer B also has only 2 devices, and, again, there’s another 24-port switch. So there’s a lot of wasted real estate and interfaces that aren’t being used on these two switches.
One way to maintain this separation but have an efficiency in the number of devices is to separate these two customers by the VLAN– this is Virtual Local Area Networks. Instead of physically separating these customers, we’re logically separating these customers. There’s still a separation of networks on this single switch, but customer A is on one VLAN and customer B is on the other VLAN. And even though these two customers are on the same physical switch, these two VLANs cannot communicate to each other.
If you do need to enable communication between two separate VLANs, you would use a router or some other layer 3 device. In high-security environments like this one, you may put a firewall in between these VLANs and have the firewall act as a layer 3 device. That would allow customer A and customer B to communicate to each other, but only using the very specific security rules that you’re configuring in the firewall.
Of course, one of the common uses of a firewall is to sit between the internet and our internal network. This is going to keep anybody from the internet from directly accessing any of the resources that are on the inside of our network. But we may have certain servers and services that we would like to make available to the internet, but we still want to prevent anyone from coming into our internal network. In those cases, we would create a DMZ. This comes from the military term “demilitarized zone,” which is an additional layer of security between two different points.
So instead of having these externally accessible services on our internal network, we would create a completely separate segmented network for those services. So we’ll add our server to the DMZ. And then we’ll create rules in our firewall that will allow people access from the internet to the DMZ, but prevent any access from the internet to our internal network.