Network segmentation in computer networks is the act or practice of dividing a computer network into subnetworks, each of which is a network segment. The advantages of this division are mainly to increase performance and improve security.
Network segment is a synonym for LAN: it is a set of equipment (computers and peripherals) connected in a network.
A large network in an organization may be made up of many network segments connected to the main LAN called the backbone, which exists to communicate the segments with each other.
The graph shows two segments (which can be on two different floors of a company) made up of three computers connected to the backbone that communicates them.
Advantages of network segmentation
– Congestion reduction: Better performance is achieved, since in a segmented network there are fewer hosts per subnet, which minimizes local traffic.
– Improved security:
1) Transmissions will be contained to the local network. The internal structure of the network will not be visible from the outside.
2) There is a reduced attack surface available to pivot to if one of the hosts in the network segment is compromised. Common attack vectors like LLMNR and NetBIOS poisoning can be partially alleviated by proper network segmentation, since they only work on the local network. For this reason, it is recommended to segment the different areas of a network by use. A basic example would be dividing web servers, database servers, and standard user machines, each into its own segment.
3) By creating network segments that contain only the specific resources of the consumers that you authorize access to, you are creating an environment of least privilege.
– Containment of network problems: Limit the effect of local failures in other parts of the network.
– Control visitor access: Visitor access to the network can be controlled by implementing VLANs to segregate the network.
When a cybercriminal gains unauthorized access to a network, segmentation or «zoning» can provide effective controls to limit movement through the network. PCI-DSS (Payment Card Industry Data Security Standard), and similar standards, which provide guidance on creating a clear separation of data within the network, for example, separating the network for payment card authorizations from the network for points of service (checkout) traffic or customer Wi-Fi traffic. Good security policy involves segmenting the network into multiple zones, with different security requirements, and rigorous policy enforcement of what is allowed to move from one zone to another.
Control visitor access
Finance and Human Resources departments often need access to their application servers through their own VLAN due to the sensitive nature of the information they process and store. Other groups of staff may require their own segregated networks, such as server administrators, security administration, managers, and executives.
Third parties are often required to have their own segments, with different administration passwords from the main network, to prevent attacks through a compromised and less secure third party site.
Doubts? needs more information? Write and we will respond to your email: click here