Network Segmentation and Security

Types of Segmentation

• Physical Segmentation: Physically separating devices on a network.
• Logical Segmentation: Often implemented with VLANs in network switches.
• Virtual Segmentation: Common in cloud-based or virtual machine setups.

Purpose of Segmentation

• Performance Enhancement: Dedicating subnets for high-bandwidth applications to ensure efficiency.
• Strategic Security:
  • Example: Users should not communicate directly with database servers. Instead, they should interact through an application server.
  • Use of firewalls or control lists to limit access.
• Compliance and Policies:
  • E.g., PCI compliance requires credit card information to be separated from other network parts.

Access Control Lists (ACLs)

• Functionality: Allow or disallow traffic through networks or systems.
• Criteria for Control:
  • Source and destination IP addresses
  • Port numbers
  • Time of day
• User-based Access: Differentiating between regular users and administrators.
• Configuration Caution: Avoid creating ACLs that might inadvertently lock out essential functions.

Examples of ACL Permissions

• Specific rules for user access:
  • Bob can read files on a resource.
  • Fred can access the network.
  • James can only access the network using TCP ports 80, 443, and 8088.

Application-based Segmentation

• Application Allow and Deny Lists:
  • Allow List: Only specified applications can run.
  • Deny List: All applications can run except those specifically blocked.
  • Example: Antivirus systems use a deny list to block known malware.
• Windows Control:
  • Applications identified via a hash.
  • Digital Signature Verification: Allowing apps based on trusted digital signatures.
  • Location-based Permission: Restrict apps based on their directory on the drive.
  • Network Zones: Different rules applied depending on whether a network is public or private.