🔒

Understanding Network Segmentation and Access Control

May 26, 2025

Lecture Notes: Network Segmentation and Access Control

Network Segmentation

Types of Segmentation

  • Physical Segmentation
    • Physically separating devices in a network.
  • Logical Segmentation
    • Often implemented in network switches using VLANs.
  • Virtual Segmentation
    • Common in cloud-based or virtual machine architectures.

Purpose of Segmentation

  • Performance Optimization
    • Dedicated subnets for high-bandwidth applications to ensure efficient operation.
  • Security Strategy
    • Example: Users communicate with application servers, not directly with database servers.
    • Use of firewalls or control lists to limit server access.
  • Policy Compliance
    • Segmentation might be mandated by policies, e.g., PCI compliance for credit card info.

Access Control Lists (ACLs)

Definition and Use

  • ACLs control network traffic by allowing or disallowing traffic based on specific parameters.
  • Can be implemented using operating systems or networking technologies.

Parameters for ACLs

  • Source and destination IP addresses.
  • Port numbers.
  • Time of day, etc.

Examples of ACL Permissions

  • Specific user permissions, e.g., Bob can read files, Fred can access the network.
  • Granular permissions, e.g., James can access network 192.168.1.0/24 on TCP ports 80, 443, and 8088.

Implementation Considerations

  • Avoid creating ACLs that prevent further ACL configurations.

Application Control

Allow Lists and Deny Lists

Allow Lists

  • Function: Only applications specifically approved can run.
  • Usage: Restricted environments.

Deny Lists

  • Function: Blocks applications on a specified bad list; everything else can run.
  • Usage: More flexibility; used in anti-virus systems.

Specific Controls in Windows

  • Application Hash: Identification by specific application hash.
  • Digital Signatures: Allow applications signed by trusted entities (Microsoft, Adobe, etc.).
  • Directory Restrictions: Allow/disallow based on where an application is running from on the drive.
  • Network Zones: Different rules for private vs. public networks.

Practical Uses

  • Blocking malicious software (Trojans, malware, etc.).
  • Ensuring only legitimate applications can be used on systems.

Full transcript