Understanding Network Segmentation: Best Practices and Implementation Strategies

I was recently consulting with a client and the network architecture we were proposing drastically increased their ability to deploy network segmentation. In our conversations though, the various options for network segmentation were ill-understood and the client was unsure about which situations best suited one technology over another.

Why introduce segmentation though? By doing so, network engineers can improve network performance, increase security, and simplify network management. I wanted to discuss a couple of strategies, including both micro-segmentation using Security Group Tags (SGTs) and macro-segmentation using Virtual Routing and Forwarding (VRFs).

Benefits of Network Segmentation:

  1. Enhanced Security: By dividing the network into smaller segments, it becomes easier to control access and monitor traffic. Network engineers can implement more granular security policies and detect potential security breaches more quickly. One of the main tenants of Zero Trust Access is to only provide enough network access for the device to function and no more.

  2. Simplified Management: By adopting authentication-based segmentation technologies, network engineers can avoid having to make configuration change based on new devices being introduced to the network or their location changing. By centralizing the policy creation, a network intent can be defined once and applied whenever and wherever it’s needed.

Best Practices for Network Segmentation:

  1. Define Clear Objectives: Before starting the segmentation process, network engineers should define clear objectives and requirements. They should consider the needs of different users and applications, as well as any compliance regulations that apply to the network.

  2. Choose the Right Segmentation Method: There are different segmentation methods available, including VLANs, firewalls, access-lists, VRFs, and SGTs. Network engineers should choose the method that best suits their objectives and requirements.

  3. Design with Scalability in Mind: Network segmentation should be designed with scalability in mind. Network engineers should plan for future growth and ensure that the segmentation strategy can be easily extended or modified if needed.

  4. Centralize Management: Whether the preferred strategy is using automation to deploy the network intent across the network or to opt for 802.1X based segmentation strategies, design with a single management strategy in mind. This will reduce or eliminate deviations in access across the network, make auditing of the network simpler, and reduce the chance of outages.

Implementation Strategies for Network Segmentation:

  1. VLANs: VLANs (Virtual Local Area Networks) are a common method of network segmentation. They allow network engineers to group devices into logical networks based on different criteria, such as department, location, or application. By default, though VLANs do not provide micro-segmentations features and need to be coupled with other technologies to provide security. Private VLANs are often overlooked as well but may be a smart option for some networks.

  2. Firewalls: Firewalls can be used to segment the network by enforcing security policies between subnetworks. They can block traffic based on predefined rules and prevent unauthorized access to sensitive data. Next generation firewalls provide deep packet inspection and are a great option as a replacement for a fusion router for filtering east-west traffic and north-south traffic in the same box.

  3. Virtual Routing and Forwarding (VRFs): VRFs are used for macro-segmentation by creating separate routing tables within a network. Each VRF can have its own routing policies and routing table, allowing network engineers to create separate virtual networks. VRFs, deployed along with SGTs, provide the most flexible network segmentation strategies available today. When SGACLs can’t provide deep enough or rigid enough filtering to traffic, VRFs are able to segregate traffic at a higher level and force traffic through fusion firewalls for deep packet inspection and application-based security policies.

  4. Access-Lists: Access-lists are one of the most versatile tools in the network engineer’s toolkit because of the various applications that they can be applied to. However, the task that they were originally created for is ironically being overshadowed by newer technologies such as SGTs. ACLs match on IP, an inflexible tool that can change quickly and don’t provide user-based filtering. Additionally, ACLs applied at the network gateway are unable to filter intra-subnet traffic and engineers are required to deploy VLAN ACLs or Downloadable ACLs to combat this, further complicating management.

  5. Security Group Tags (SGTs): SGTs are used for micro-segmentation within a network, by tagging traffic flows based on security policies. Network engineers can use SGTs to apply security policies at the application level, providing more granular security control. Since SGTs and by extension SGACLs are applied via 802.1X, user and group information can be used to provide authorization. SGTs provide an abstraction away from IP and more specifically implement the intent of an engineer.

By defining clear objectives, choosing the right segmentation method, and implementing proper access controls, network engineers can design and implement effective segmentation strategies. VLANs, firewalls, routers, SGTs, and VRFs. Wield these tools effectively and you can greatly improve your security posture and simplify management of your network.

 

Ryan Harris

I’m Ryan and I’m a Senior Network Engineer for BlueAlly (formerly NetCraftsmen) in North Carolina doing routing, switching, and security. I’m very interested in IPv6 adoption, SD-Access, and Network Optimization. Multi-vendor with the majority of my work being with Cisco and Palo Alto.

Previous
Previous

UDP Based Amplification Attacks: Understanding the Threat

Next
Next

Post-Mortem and Thoughts on a Recent Outage