Everyone has seen security checkpoints at the airport. They ensure that only those people who belong at the gate can reach them, and also that there are no bad actors on airplanes. But why are there so many gates? Luckily, they’re labelled in a sequential and logical fashion. So at the airport, multiple security checkpoints keep things safe, locked doors ensure I can’t enter areas I don’t belong, and accurate labelling helps direct everyone to where they need to be, safely.
Network segmentation works similar to security checkpoints and gates on network traffic.
So what is network segmentation?
In very short terms, network segmentation is the concept of taking a computer network and breaking it down, both logically and physically, into multiple smaller fragments. Physical segmentation involves breaking down a network into smaller physical components. It involves investing in additional hardware such as switches, routers, and access points.
While physical segmentation can seem like the easy approach to breaking up a network, it’s often costly and can lead to unintended issues. Think about having two Wi-Fi access points right beside each other, each broadcasting different SSIDs. This would be inefficient and cause many conflicts.
Logical segmentation is the more popular method of breaking a network into manageable chunks. Usually, logical segmentation doesn’t require new hardware, provided the infrastructure is already managed. Instead, logical segmentation uses concepts already built into network equipment, like creating separate virtual local area networks (VLANs) that share a physical switch, or dividing different asset types into different subnets and using a router to pass data between the individual subnets.
Segment a network to achieve the following:
By ensuring different groups of devices pass through a firewall, you can apply access control lists to the traffic and enable the concept of least privilege. It also allows the traffic to be inspected by security tools for potential threats. In a world where nothing ever went wrong, there’d be no need to contain a breach or attack. But the reality is that attackers can affect an entire network, unless they’re limited to a local subnet. And when things do go wrong, segmentation significantly reduces your mean time to resolution by narrowing the focus area of your troubleshooting and protection efforts.
Smaller subnets mean fewer devices on each subnet. Fewer devices mean you can build and enforce more granular policies, like access rules, and file permissions. Fewer hosts also mean less traffic and a smaller broadcast domain. Reducing the broadcast domain reduces ‘noise.’ All in, network segmentation contributes to better performance across the entire network and its segments.
Here are some common network segmentation methods:
Creating a guest wireless network
Theoretically a client’s guest network could be both wired and wireless but, almost always, the guest network is primarily wireless. By implementing a new guest SSID and ensuring it’s configured to provide wireless isolation, you’re effectively creating a segment for each user of the guest Wi-Fi, allowing them to see the internet without accessing anything else on the rest of your network.
Creating a voice network
Unlike guest networks that are typically wireless, a voice network is normally wired. Low latency and low jitter are extremely important for voice-over IP phones (VoIP) to get the best call quality, and mixing it with data traffic can reduce that quality. Voice networks are generally segmented into a separate VLAN and use a dedicated IP subnet range, away from routine data traffic.
Separating user groups from services
Does every user need access to the entire network? Should the receptionist in your client’s office be able to pull reports from the accounting system? Probably not. By separating user groups and services into their own segments or subnets, you can create groupings of similar users and services. You can then build data traffic around these groups, ensuring the right people can access the right things.
If you’re experiencing network issues, SOS can help get you where you need to be today.