I’ve just finished getting through security at O’Hare—what an adventure! There were crowds at the check-in, a long security line (luckily, I had TSA pre-check), and what seemed like 500 gates I had to pass to get to my gate at the far end of the terminal. We all understand why there are security checkpoints at the airport. They ensure that only those people who belong at the gate are at the gate, and that there are no malicious actors on airplanes. But why are there so many gates? Luckily, they’re labelled in a logical and sequential order, so I can find what I’m looking for. At the airport, multiple security checkpoints keep things safe, locked doors ensure I can’t enter areas I don’t belong, and logical labelling helps funnel me to where I need to be. Both physical network segmentation and logical segmentation work in similar ways on network traffic. So, what is network segmentation, and how do you segment a network?
What is a network segment?
In short, network segmentation is the concept of taking a computer network and breaking it down—logically and physically—into multiple smaller fragments called network segments.
Physical network segmentation involves breaking down a large network into many smaller physical components. It normally involves investing in additional hardware such as switches, routers, and access points.
While physical network segmentation can seem like the easy approach to breaking up a network, it’s often very costly and can lead to unintended issues. Think about having two Wi-Fi access points right beside each other, each broadcasting different SSIDs—it’s inefficient and may cause conflicts.
Logical segmentation is the more popular method of fragmenting a network into manageable chunks. Typically, logical segmentation doesn’t require new hardware, provided the infrastructure is already managed.
Instead, logical segmentation uses concepts already built into network infrastructure such as creating separate virtual local area networks (VLANs) that share a physical switch, or dividing different asset types into different Layer 3 subnets and using a router to pass data between the subnets.
Why is network segmentation important?
Securing your digital assets is a top priority and while firewalls are very strict and capable of following established firewall rules, they do not achieve everything you need to keep your digital assets protected. They can also become outdated and only offer frontline defense.
As digital innovation delivers new services and network environments, risks increase. Attacks can occur beyond the traditional network boundaries. Although your security may be breached via something such as your smart lighting system, once the threat gains access to a flat network, it can gain access to confidential information. Network segmentation, however, reduces the risk of access to other data.
The benefits of network segmentation
Now that we know how and why you might decide to segment a network, let’s go over the benefits gained from network segmentation. You might segment a network to achieve one or all of these things:
- Improve network visibility and monitoring
- Increase network security
- Control physical access to specific network equipment
- Reduce the blast radius during an outage or attack
- Increase network performance
Improve visibility and monitoring
Network segmentation improves network visibility by allowing you to introduce more points in the network where traffic can be inspected, counted, and monitored. For example, ensuring east-west traffic flows through a core router allows you to monitor traffic flowing between subnets.
By ensuring different groups of devices pass through a firewall, you can apply access control lists to the traffic and enable the concept of least privilege. It also allows the traffic to be inspected by security tools such as the network traffic analysis tool that can evaluate for potential threats.
Reduce the blast radius during an outage or attack
In a world where nothing ever went wrong, there’d be no need to contain a blast. But the reality is that broadcast storms, bandwidth hogs, and other network issues can affect an entire network—unless they’re limited to a local subnet. And when things do go wrong, segmentation significantly reduces your mean time to resolution by narrowing the focus area of your troubleshooting.
Smaller subnets mean fewer hosts on each subnet. Fewer hosts mean you can build and enforce more granular Quality of Service policies. Fewer hosts also mean less traffic and a smaller broadcast domain. Reducing the broadcast domain reduces ‘noise.’ All in all, network segmentation contributes to better performance across the board.
Who needs network segmentation?
Any organization that runs internal systems needs network segmentation whether it be physical network segmentation or logical network segmentation. As networks grow in complexity, the need for segmentation becomes increasingly important. Although flat networks may take less time to implement, it is important to remember that flat networks allow threats to move laterally across the entire network with few obstacles and cannot provide the same benefits as network segmentation.
Implementing segmentation on enterprise networks involves greater intricacy and constant maintenance. Various parts of an enterprise network are separated to achieve multiple benefits. By splitting these networks using logical segmentation, enterprises stand to gain improved security, better access control, improved network management, and a boost in performance.
Rather than relying on labor-intensive manual mapping processes, enterprises can opt for better solutions such as automated network infrastructure mapping tools and cloud-based network monitoring.
To find out more about how Auvik can help you gain instant insights into the networks you manage, simply contact us
Common network segmentation use cases
This is all great in theory, but how and where would you actually segment your networks? Here are a few common scenarios.
Creating a guest wireless network
Theoretically, a client’s guest network could be both wired and wireless but nine times out of 10 the guest network is purely wireless. By implementing a new guest SSID and ensuring it’s configured to provide wireless isolation, you’re effectively creating a ‘mini-segment’ for each user of the guest Wi-Fi, allowing them to see the internet and nothing else.
Creating a voice network
Unlike guest networks that are typically wireless, a voice network is normally wired. Low latency and low jitter are extremely important for high-quality voice-over IP (VoIP), and mixing it with traditional data traffic can reduce the call experience. Voice networks are generally segmented into a separate voice VLAN and use a dedicated IP subnet range.
Separating user groups from services
Does every user and every department need access to the lab environment? Should the receptionist in your client’s office be able to pull reports from the accounting system? Probably ‘no’ on both counts. By separating user groups and services into their own Layer 3 network segments or subnets, you can create groupings of similar users and services. You can then build business logic around these groups, ensuring the right people can access the right things.
I’ve just scratched the surface on network segmentation. If you’d like to learn more, I recommend the Australian Government’s guide on Implementing Network Segmentation and Segregation and Cisco’s Framework to Protect Data Through Segmentation as two great places to start.
Your network monitoring and management system should enhance your security and work strategically with your network segmentation initiatives. Auvik’s team follows strict protocols to ensure the networks you manage stay safe. Start your free trial today to discover why IT teams use Auvik to monitor and manage their networks and mitigate business risk.