^.^;

Network Segmentation

VLANs, Zero Trust architecture. Micro-segmentation. Air-gap critical assets. Restrict lateral movement.

AdvancedPhase 3: Password SecurityInteractive VLAN Designer

What is Network Segmentation?

Network Segmentation divides a network into smaller, isolated segments to contain breaches, reduce attack surface, and enforce least-privilege access. Think of it like watertight compartments on a ship—if one section floods, the others remain secure.

Why Segment Networks?

  • Contain Lateral Movement: Attackers can't pivot freely between network segments
  • Enforce Zero Trust: "Never trust, always verify" - require authentication between segments
  • Compliance: PCI-DSS, HIPAA require separation of sensitive data
  • Reduce Blast Radius: Ransomware/breach limited to one segment

Segmentation Methods

🏢 VLANs (Virtual LANs)

Layer 2 segmentation at switch level

  • • Easy to implement on existing hardware
  • • Each VLAN = separate broadcast domain
  • • Routing between VLANs controlled by firewall
  • • Example: VLAN 10 (Servers), VLAN 20 (Users)

🔒 Micro-Segmentation

Granular per-workload segmentation

  • • Segment down to individual VMs/containers
  • • Software-defined (SDN, NSX, Cisco ACI)
  • • Dynamic policies follow workloads
  • • Zero Trust at workload level

🌐 DMZ (Demilitarized Zone)

Isolated zone for public-facing services

  • • Web servers, email gateways in DMZ
  • • Two firewalls: External + Internal
  • • DMZ can't directly access internal network
  • • Compromise doesn't expose internal assets

🎯 Zero Trust Network Access (ZTNA)

Identity-based, not network-based access

  • • No implicit trust based on location
  • • Verify identity + device posture for every request
  • • Software-Defined Perimeter (SDP)
  • • Examples: Zscaler, Cloudflare Access

Enterprise VLAN Design Example

VLAN 10 - ManagementCritical

Network device management (switches, routers). Admin access only. 10.0.10.0/24

VLAN 20 - Servers (Production)Critical

Application servers, databases. Isolated from user workstations. 10.0.20.0/24

VLAN 30 - EmployeesMedium

User workstations. Limited server access via firewall rules. 10.0.30.0/24

VLAN 40 - Guest WiFiLow

Visitor access. Internet only, no internal network access. 10.0.40.0/24

VLAN 50 - IoT DevicesMedium

Cameras, printers, smart devices. Isolated from corporate network. 10.0.50.0/24

VLAN 99 - DMZHigh

Public-facing web servers, email gateways. Dual firewall protection. 10.0.99.0/24

Inter-VLAN Firewall Rules

✅ Allow: Employees → Servers (HTTPS only)
permit tcp VLAN30 any VLAN20 any eq 443
❌ Deny: Guest WiFi → Internal Networks
deny ip VLAN40 any VLAN20 any
✅ Allow: IoT → NTP Server (Time Sync)
permit udp VLAN50 any 10.0.20.5 eq 123
❌ Deny: DMZ → Internal (Default Deny)
deny ip VLAN99 any VLAN20 any

Micro-Segmentation (VMware NSX Example)

Micro-segmentation applies firewall rules at the VM/container level, not just network perimeter. Every workload has its own security policy.

Policy Example: Web Tier → App Tier

  • Source: Security Group "Web-Servers" (all VMs tagged as web)
  • Destination: Security Group "App-Servers"
  • Service: HTTPS (443), HTTP (8080)
  • Action: Allow
  • Applied To: Distributed Firewall (every VM hypervisor)

💡 Benefit: Even if attacker compromises web server, they can't talk to database tier (not in policy)

Best Practices

Default Deny: Block all traffic by default, explicitly allow only what's needed
Least Privilege: Users/apps only access segments they need (no flat network)
Separate Critical Assets: Domain controllers, backups in isolated segments
Monitor East-West Traffic: Don't just watch perimeter, monitor internal traffic between segments
Document Segmentation: Maintain network diagram showing all segments and allowed flows
Regular Audits: Review firewall rules quarterly, remove unused rules

Real-World Impact: Colonial Pipeline (2021)

Ransomware gang accessed corporate network via VPN, then pivoted to OT (operational technology) network controlling fuel pipelines.

What Went Wrong:

  • • ❌ No network segmentation between IT and OT networks
  • • ❌ Shared credentials across network boundaries
  • • ❌ Ransomware spread unchecked across entire infrastructure

How Segmentation Would Have Helped:

  • • ✅ Separate IT and OT networks (air gap or strict firewall)
  • • ✅ One-way data diodes (OT can't be accessed from IT)
  • • ✅ Ransomware contained to IT segment, pipelines stay operational

Network Segmentation Designer

Design VLANs, configure firewall rules, and test attack scenarios to see how segmentation contains breaches.

Security Score

Based on segmentation and firewall rules

75/100

Network Segments (VLANs)

Management
VLAN 10
Subnet:10.0.10.0/24
Devices:5
Risk:critical
Servers
VLAN 20
Subnet:10.0.20.0/24
Devices:15
Risk:critical
Employees
VLAN 30
Subnet:10.0.30.0/24
Devices:200
Risk:medium
Guest WiFi
VLAN 40
Subnet:10.0.40.0/24
Devices:50
Risk:low
IoT Devices
VLAN 50
Subnet:10.0.50.0/24
Devices:30
Risk:medium

Test Connection Between Segments

Inter-VLAN Firewall Rules

Employees (30)Servers (20)
Service: HTTPS (443)
Guest WiFi (40)Servers (20)
Service: All
IoT Devices (50)Servers (20)
Service: NTP (123)
Management (10)All Segments
Service: SSH/HTTPS

Simulate Attack Scenarios

Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.