Network Segmentation
The practice of dividing a computer network into smaller, isolated subnetworks to improve security, performance, and manageability by limiting the spread of threats and controlling traffic flow between segments.
In-Depth Explanation
Network segmentation divides a network into smaller, isolated segments with controlled communication between them. This limits an attacker's ability to move laterally through the network if they breach one segment, containing the damage of a security incident.
Segmentation approaches:
- Physical segmentation: Separate physical network infrastructure for each segment
- VLAN segmentation: Virtual LANs dividing the network logically on shared infrastructure
- Subnet segmentation: Using IP subnets with router-enforced access controls
- Micro-segmentation: Granular, software-defined segmentation at the workload level
- Software-defined networking (SDN): Programmable network segmentation
Common network segments:
- Corporate network: Standard employee workstations and devices
- Server network: Application and database servers
- Management network: Network management and administration systems
- Guest network: Isolated network for visitors and personal devices
- IoT network: Internet of Things devices (printers, cameras, sensors)
- PCI network: Cardholder data environment (for payment processing)
- DMZ: Demilitarised zone for public-facing services
Benefits of segmentation:
- Limits lateral movement of attackers and malware
- Reduces the blast radius of security incidents
- Improves compliance posture (e.g., PCI-DSS scope reduction)
- Enables granular access control and monitoring
- Improves network performance by reducing broadcast traffic
- Simplifies troubleshooting and management
Business Context
Without segmentation, an attacker who compromises one device can potentially access every system on the network. Segmentation is one of the most effective ways to limit the damage of a breach and is recommended by the ACSC and required by frameworks like PCI-DSS.
How Clever Ops Uses This
Clever Ops designs and implements network segmentation for Australian businesses, creating isolated zones for different functions and data sensitivity levels. We configure VLAN segmentation, firewall rules between segments, and monitoring to detect unauthorised cross-segment traffic.
Example Use Case
"An Australian retail business segments their network into corporate, POS, guest Wi-Fi, and IoT zones. When ransomware infects a workstation on the corporate network, segmentation prevents it from reaching the POS systems, protecting payment data."