I’ve just finished getting through security at O’Hare—what an adventure! There were crowds at the check-in, a long security line (luckily I had TSA pre-check), and what seemed like 500 gates I had to pass to get to my gate at the far end of the terminal.
We all understand why there are security checkpoints at the airport. They ensure that only those people who belong at the gate are at the gate, and also that there are no malicious actors on airplanes. But why are there so many gates? Luckily, they’re labelled in a logical and sequential order so I can find what I’m looking for.
So at the airport, multiple security checkpoints keep things safe, locked doors ensure I can’t enter areas I don’t belong, and logical labelling helps funnel me to where I need to be.
Network segmentation works in similar ways on network traffic. So what is network segmentation?
What is network segmentation?
In short, network segmentation is the concept of taking a computer network and breaking it down—logically and physically—into multiple smaller fragments.
Physical segmentation involves breaking down a large network into many smaller physical components. It normally involves investing in additional hardware such as switches, routers, and access points.
While physical segmentation can seem like the easy approach to breaking up a network, it’s often very costly and can lead to unintended issues. Think about having two Wi-Fi access points right beside each other, each broadcasting different SSIDs—it’s inefficient and may cause conflicts.
Logical segmentation is the more popular method of fragmenting a network into manageable chunks. Typically, logical segmentation doesn’t require new hardware, provided the infrastructure is already managed.
Instead, logical segmentation uses concepts already built into network infrastructure such as creating separate virtual local area networks (VLANs) that share a physical switch, or dividing different asset types into different Layer 3 subnets and using a router to pass data between the subnets.
The benefits of network segmentation
Now that we know how you might segment a network, the question becomes why. And there are plenty of great reasons. You might segment a network to achieve one or all of these things:
- Improve network visibility and monitoring
- Increase network security
- Control physical access to specific network equipment
- Reduce the blast radius during an outage or attack
- Increase network performance
Improve visibility and monitoring
Network segmentation allows you to introduce more points in the network where traffic can be inspected, counted, and monitored. For example, ensuring east-west traffic flows through a core router allows you to monitor traffic flowing between subnets.
By ensuring different groups of devices pass through a firewall, you can apply access control lists to the traffic and enable the concept of least privilege. It also allows the traffic to be inspected by security tools for potential threats.
Control physical access to specific network equipment
One result of physical segmentation is that different physical pieces of network equipment carry different traffic types. This allows you to remove physical access to network infrastructure by placing devices in separate data centers or separate locked racks. You see this type of segmentation more commonly in high-security environments.
Reduce the blast radius during an outage or attack
In a world where nothing ever went wrong, there’d be no need to contain a blast. But the reality is that broadcast storms, bandwidth hogs, and other network issues can affect an entire network—unless they’re limited to a local subnet. And when things do go wrong, segmentation significantly reduces your mean time to resolution by narrowing the focus area of your troubleshooting.
Smaller subnets mean fewer hosts on each subnet. Fewer hosts mean you can build and enforce more granular Quality of Service policies. Fewer hosts also mean less traffic and a smaller broadcast domain. Reducing the broadcast domain reduces ‘noise.’ All in, network segmentation contributes to better performance across the board.
Common network segmentation use cases
This is all great in theory, but how and where would you actually segment your client networks? Here are a few common scenarios.
Creating a guest wireless network
Theoretically a client’s guest network could be both wired and wireless but nine times out of 10 the guest network is purely wireless. By implementing a new guest SSID and ensuring it’s configured to provide wireless isolation, you’re effectively creating a ‘mini-segment’ for each user of the guest Wi-Fi, allowing them to see the internet and nothing else.
Creating a voice network
Unlike guest networks that are typically wireless, a voice network is normally wired. Low latency and low jitter are extremely important for high-quality voice-over IP (VoIP), and mixing it with traditional data traffic can reduce the call experience. Voice networks are generally segmented into a separate voice VLAN and use a dedicated IP subnet range.
Separating user groups from services
Does every user and every department need access to the lab environment? Should the receptionist in your client’s office be able to pull reports from the accounting system? Probably ‘no’ on both counts. By separating user groups and services into their own Layer 3 network segments or subnets, you can create groupings of similar users and services. You can then build business logic around these groups, ensuring the right people can access the right things.
I’ve just scratched the surface on network segmentation. If you’d like to learn more, I recommend the Australian Government’s guide on Implementing Network Segmentation and Segregation and Cisco’s Framework to Protect Data Through Segmentation as two great places to start.