Network Segmentation – CompTIA Security+ SY0-501 – 3.2

There are many reasons why you might need to segment the network. In this video, you’ll learn about the drivers of network segmentation and how to segment network services.

<< Previous Video: Secure Network Topologies Next: VPN Technologies >>

When we talk about segmenting the network, we’re usually talking about some type of physical, logical, or virtualized segmentation of the network. We’re usually accomplishing this using separate devices, separate VLANs, or virtualized networks. One of the reasons we might want to provide network segmentation is for performance. We may have an application that requires high bandwidth, and by segmenting those onto their own network, we can ensure the highest efficiency possible.

Another reason for segmenting the network might be for security. For example, we might want to have an application that communicates between a web server and a database server, but we might not want the users to have direct access to the database server. We might segment the users away from the core of our network. That way, we can monitor and make sure that the only thing that’s running inside the core are the protocols necessary for those applications.

And there might be a compliance reason to provide network segmentation. For example, PCI compliance requires that there’s segmentation between certain devices on the network. This segmentation tends to make change control much easier because you can make modifications to one part of the network without affecting the other parts.

If we create physical segmentation, then we have completely separate devices. We might have a switch A and a switch B and these devices do not communicate to each other directly. We would have to put an additional connection between these devices or some type of intermediate switch or router to provide any type of communication between switch A and switch B.

We might create this physical segmentation to have all web servers in one rack and all database servers in another rack and be able to monitor and maintain all of those individual components. Or we might have Customer A on one switch and Customer B on another switch and we want to be sure that the data between those customers is never going to intermix with each other.

Here’s a good example of a physical segmentation with Customer A and Customer B. And you can see that Customer A has two devices on their single switch and Customer B also has two devices on their switch. But because they are physically segmented, there’s no data that can move between either Customer A or Customer B.

One of the challenges with this type of configuration is that it can be relatively inefficient. You’ve got 24-port switches with only two devices on them, and these other interfaces aren’t used by any other device. You have the same situation with Customer B. You’ve also got some scalability problems. What if you had a thousand or 5,000 customers? You would need a lot of space in your data center to install a lot of separate switches when you’re physically segmenting.

Instead of dealing with the inefficiency of that physical segmentation, many people will segment the network logically. You can do this by using something like Virtual Local Area Networks, or VLANs. This is when you still have segmentation for Customer A and segmentation for Customer B, but this segmentation is built into the switch itself.

These two VLANs on the network are not able to communicate with each other. So Customer A’s data stays with Customer A’s VLAN and Customer B’s data stays on Customer B’s VLAN. The only way you would be able to connect these two VLANs together is with a router or some other type of layer 3 device.

If you want to take this segmentation up another layer, you can virtualize everything. Virtualize not only your network, but your servers, your routers, your switches, your load balancers, and anything else that might be part of the network infrastructure. You wouldn’t have any physical devices to be able to segment, but you are able to segment everything in this virtual environment.

This might also provide you some additional security features. For example, you could simply build a new network just by clicking a few buttons, create some separate subnets, and then put a firewall between those subnets to provide additional security all through this virtualized environment. If you wanted to remove the firewall, you click a button and the firewall disappears. If you need more security control, you can add more firewalls by simply moving these virtual devices inside of this virtual network.

And if you wanted the ultimate in physical segmentation, you would create an air gap. If you have separate physical devices, there’s usually some type of interconnectivity inside of your network. But on an air-gapped network, the devices are truly physically separated from each other. On an air gap network, no components are shared. There’s no possible way to communicate from one device to the other. And that way, you can be assured that there’s no way to get data from one of these devices to the other.

We often see this type of air-gap security on highly secure networks or networks that have very important applications, such as SCADA or manufacturing networks. Some technologies, though, have been known to jump the gap. For example, if you don’t disable the ability to use removable media, someone could plug into a device on one side of the air gap and simply walk it across the air gap and plug into the other device.