When we talk about
segmenting the network,
we're usually talking
about some type
of physical, logical, or
virtualized segmentation
of the network.
We're usually
accomplishing this using
separate devices, separate
VLANs, or virtualized networks.
One of the reasons we might want
to provide network segmentation
is for performance.
We may have an application
that requires high bandwidth,
and by segmenting those
onto their own network,
we can ensure the highest
efficiency possible.
Another reason for
segmenting the network
might be for security.
For example, we might want
to have an application that
communicates between a web
server and a database server,
but we might not want the
users to have direct access
to the database server.
We might segment the users away
from the core of our network.
That way, we can
monitor and make sure
that the only thing that's
running inside the core
are the protocols necessary
for those applications.
And there might be
a compliance reason
to provide network segmentation.
For example, PCI
compliance requires
that there's segmentation
between certain devices
on the network.
This segmentation tends to
make change control much easier
because you can
make modifications
to one part of the
network without affecting
the other parts.
If we create physical
segmentation,
then we have completely
separate devices.
We might have a switch
A and a switch B
and these devices do not
communicate to each other
directly.
We would have to put an
additional connection
between these devices or some
type of intermediate switch
or router to provide any type of
communication between switch A
and switch B.
We might create this
physical segmentation
to have all web
servers in one rack
and all database
servers in another rack
and be able to monitor
and maintain all
of those individual components.
Or we might have
Customer A on one switch
and Customer B on
another switch and we
want to be sure that the
data between those customers
is never going to
intermix with each other.
Here's a good example of
a physical segmentation
with Customer A and
Customer B. And you
can see that Customer A has two
devices on their single switch
and Customer B also has two
devices on their switch.
But because they are
physically segmented,
there's no data that can move
between either Customer A
or Customer B.
One of the challenges with
this type of configuration
is that it can be
relatively inefficient.
You've got 24-port switches
with only two devices on them,
and these other
interfaces aren't
used by any other device.
You have the same situation
with Customer B. You've also
got some scalability problems.
What if you had a thousand
or 5,000 customers?
You would need a lot of
space in your data center
to install a lot of
separate switches
when you're
physically segmenting.
Instead of dealing
with the inefficiency
of that physical
segmentation, many people
will segment the
network logically.
You can do this by using
something like Virtual Local
Area Networks, or VLANs.
This is when you still have
segmentation for Customer A
and segmentation for Customer
B, but this segmentation
is built into the switch itself.
These two VLANs on
the network are not
able to communicate
with each other.
So Customer A's data stays
with Customer A's VLAN
and Customer B's data
stays on Customer B's VLAN.
The only way you would be able
to connect these two VLANs
together is with a router or
some other type of layer 3
device.
If you want to take this
segmentation up another layer,
you can virtualize everything.
Virtualize not only your
network, but your servers,
your routers, your switches,
your load balancers,
and anything else that
might be part of the network
infrastructure.
You wouldn't have any physical
devices to be able to segment,
but you are able to
segment everything
in this virtual environment.
This might also provide you some
additional security features.
For example, you could
simply build a new network
just by clicking a few buttons,
create some separate subnets,
and then put a firewall
between those subnets
to provide additional security
all through this virtualized
environment.
If you wanted to remove the
firewall, you click a button
and the firewall disappears.
If you need more
security control,
you can add more
firewalls by simply
moving these virtual devices
inside of this virtual network.
And if you wanted the ultimate
in physical segmentation,
you would create an air gap.
If you have separate
physical devices,
there's usually some type
of interconnectivity inside
of your network.
But on an air-gapped
network, the devices
are truly physically
separated from each other.
On an air gap network,
no components are shared.
There's no possible way to
communicate from one device
to the other.
And that way, you can
be assured that there's
no way to get data from one
of these devices to the other.
We often see this type
of air-gap security
on highly secure
networks or networks
that have very important
applications, such as SCADA
or manufacturing networks.
Some technologies, though, have
been known to jump the gap.
For example, if you
don't disable the ability
to use removable
media, someone could
plug into a device on
one side of the air gap
and simply walk it
across the air gap
and plug into the other device.
