[NetSIG] network segmentation

Mark G. netsig at palaceofretention.ca
Thu Apr 2 01:58:06 EDT 2020 

Hi Cody,

All is well in this small part of the apocalypse.

Your question has several layers of answers.  I might
get some of them right, and we can hope Craig jumps in
to correct me.

Segmentation
------------

Network segmentation is not the same as packet filtering.
Segmentation is the architectural design of a network.
Say you want sales, marketing and finance to have their
own little networking fiefdoms.  Then you would plan your
network and divide it into three segments.  One for sales,
another for marketing and a third for finance.  This is a
high level segmentation.

A lower level segmentation would be, in a physical sense,
to have a switch for each of sales, marketing and finance.
The switches, or more accurately, the devices connected to
the switch, would have their own set of network addresses, or
subnet as they are often called.

E.g:  Sales: subnet 192.168.10.0/24
       Marketing: subnet 192.168.20.0/24
       Finance: subnet 192.168.30.0/24

Note the changing third octet in the dotted-quad notation.
The /24 means use the high-order 24 bits of the address to
represent the network portion and the last 8 bits as the
host portion.  Each subnet can have up to 254 computers
associated with it.

A router would connect each of the three network segments,
which are represented by their respective switches.

So there you have three network segments: a logical one in
the form of departmental (sales etc.) divisions; a physical
one in the form of having a single switch for each department;
and a network level one where addressing is assigned to each
department using IP subnets.

In IPv6 the subnets would be:
E.g:  Sales: subnet fdea:dead:beef:10::/64
       Marketing: subnet fdea:dead:beef:20::/64
       Finance: subnet fdea:dead:beef:30::/64

I might be wrong using /64 in the above.


Segregation
-----------

In the above segmented design, all network traffic is
allowed to flow freely between the three network segments.
Often, this is what you want.

Other times, not.  In this case we attach restrictions on
top of, or in conjunction with, our network segmentation.

Sales doesn't want finance to access their computers:
add a firewall rule (packet filter) to stop finance from
connecting to sales' computer.  This rule would likely
be enforced by the router.

That rule has just segregated one part of the network from
another.  Other rules can add more segregation.


VLANs (Virtual Local Area Networks)
-----

Network switches, on a large scale, can have 48+ ports on
them (the typical home switch has just 4 LAN ports).
For large organizations, it doesn't make sense to have many
small switches, and is more cost effective to have a few
very large switches in a centralized back-bone structure.

To properly segment the three departments using a single
switch requires the switch to be capable of creating Virtual
LANs (VLANs).  It would assign a VLAN number to a set of
ports, one set for each department.

VLAN number:
E.g:  Sales: vlan 10
       Marketing: vlan 20
       Finance: vlan 30

The numbers match the IP subnet numbers, but they don't
have to.

Using VLAN's is a segregation of the switch's ports into
distinct segments.  VLAN 10 will not see any packets from
VLAN 20 and vice versa, on the physical switch.  Note this
is subtly different than a firewall rule blocking access
between IP subnets.

At my home, I have a switch with 24 ports.  I have VLANs
set up to segregate my entertainment (netflix, youtube)
computers from my work and gaming computers.  VLANs are a
useful tool.

I also have firewall rules restricting access from
one subnet to another and so on.

I hope this helps.














On 2020-04-01 6:21 PM, Catherin Gregory wrote:
> Hi all...
> Hope you are all doing ok.
>
> Is not "network segmentation" the same as packet filtering?
>
> Or is segmentation the same as segregation? Please enlighten me.
> Thanks.
>
> Segregation is typically achieved by a combination of firewalls
> <https://en.wikipedia.org/wiki/Firewall_(computing)> and VLANs
> <https://en.wikipedia.org/wiki/VLAN> (Virtual Local Area
> Networks). Software-Defined Networking
> <https://en.wikipedia.org/wiki/Software-Defined_Networking> (SDN) can
> allow the creation and management of micro-segmented networks.
> https://en.wikipedia.org/wiki/Network_segmentation#Controlling_visitor_access
>
> Cody
>
>

More information about the NetSIG mailing list