[NetSIG] network segmentation

Mark G. netsig at palaceofretention.ca
Thu Apr 2 14:44:21 EDT 2020 

Hi Cody,

Your statement:

"having a different IP is a form of segmentation"

is not quite correct.  You have to understand the
difference between an IP address and an IP subnet.

An IP address has two parts: the network part and
the host part.  In the simple case, the network part
is the first three octets, and the host part is the
last octet.  So, for example, the IP address 192.168.10.2
has:

  a network part: 192.168.10
  and a host part: .2

A network segment is all the hosts on network 192.168.10
of the form 192.168.10.xxx

A second segment is all the hosts on network 192.168.20, for
example, of the form 192.168.20.xxx.  Note the 10 and 20
numbers are in the network portion of the IP address, hence
a different network segment.

The 192.168.10.x/24 and 192.168.20.x/24 are called subnetworks
(subnets for short), where the /24 denotes the 24 bits (three
octets) used for the network portion of the IP address.

Most of the time, all hosts in subnet 192.168.10.x can access each
other by virtue of being on the same subnet.  Adding firewall rules
within this subnet can restrict hosts accessing one another, but
does not create a new segment.  It does segregate the hosts, however.

The subnet 192.168.20.x is a different segment and access to
hosts on subnet 192.168.10.x depends on your network policy.
You can choose to allow all access, or choose to segregate
the subnets by placing firewall rules between them.

So your assertion: "I’m thinking about putting a domain on a
completely different ip and thinking it would be more secure"
is not correct if the xxx.xxx.xxx portion of the addresses
are the same.  You will almost always need firewall rules
to properly control access to/between systems.  Having
different IP addresses can still allow the default routing
behaviour of the networking software to try and find a path
to another host.



On 2020-04-02 5:07 AM, Cody wrote:
> Hi Mark ... It helps a lot! You did great at painting a picture.
> Many, many thanks. So... having a different IP is a form of
> segmentation? Ie: xxx.xxx.xxx.yyy is not going to be accessing
> xxx.xxx.xxx.zzz without special firewall allow permissions?
> Specifically I’m thinking about putting a domain on a completely
> different ip and thinking it would be more secure, because of that,
> beyond the firewall and whm software and Apache and the architecture
> of the vps that already exist. Again, thanks for the clarity and
> enlightenment.
>
> Cody
>
> Clear skies and smooth sailing.
>
>> On Apr 1, 2020, at 10:58 PM, Mark G.
>> wrote:
>>
>> Hi Cody,
>>
>> All is well in this small part of the apocalypse.
>>
>> Your question has several layers of answers.  I might get some of
>> them right, and we can hope Craig jumps in to correct me.
>>
>> Segmentation ------------
>>
>> Network segmentation is not the same as packet filtering.
>> Segmentation is the architectural design of a network. Say you want
>> sales, marketing and finance to have their own little networking
>> fiefdoms.  Then you would plan your network and divide it into
>> three segments.  One for sales, another for marketing and a third
>> for finance.  This is a high level segmentation.
>>
>> A lower level segmentation would be, in a physical sense, to have a
>> switch for each of sales, marketing and finance. The switches, or
>> more accurately, the devices connected to the switch, would have
>> their own set of network addresses, or subnet as they are often
>> called.
>>
>> E.g:  Sales: subnet 192.168.10.0/24 Marketing: subnet
>> 192.168.20.0/24 Finance: subnet 192.168.30.0/24
>>
>> Note the changing third octet in the dotted-quad notation. The /24
>> means use the high-order 24 bits of the address to represent the
>> network portion and the last 8 bits as the host portion.  Each
>> subnet can have up to 254 computers associated with it.
>>
>> A router would connect each of the three network segments, which
>> are represented by their respective switches.
>>
>> So there you have three network segments: a logical one in the form
>> of departmental (sales etc.) divisions; a physical one in the form
>> of having a single switch for each department; and a network level
>> one where addressing is assigned to each department using IP
>> subnets.
>>
>> In IPv6 the subnets would be: E.g:  Sales: subnet
>> fdea:dead:beef:10::/64 Marketing: subnet fdea:dead:beef:20::/64
>> Finance: subnet fdea:dead:beef:30::/64
>>
>> I might be wrong using /64 in the above.
>>
>>
>> Segregation -----------
>>
>> In the above segmented design, all network traffic is allowed to
>> flow freely between the three network segments. Often, this is what
>> you want.
>>
>> Other times, not.  In this case we attach restrictions on top of,
>> or in conjunction with, our network segmentation.
>>
>> Sales doesn't want finance to access their computers: add a
>> firewall rule (packet filter) to stop finance from connecting to
>> sales' computer.  This rule would likely be enforced by the
>> router.
>>
>> That rule has just segregated one part of the network from another.
>> Other rules can add more segregation.
>>
>>
>> VLANs (Virtual Local Area Networks) -----
>>
>> Network switches, on a large scale, can have 48+ ports on them (the
>> typical home switch has just 4 LAN ports). For large organizations,
>> it doesn't make sense to have many small switches, and is more cost
>> effective to have a few very large switches in a centralized
>> back-bone structure.
>>
>> To properly segment the three departments using a single switch
>> requires the switch to be capable of creating Virtual LANs (VLANs).
>> It would assign a VLAN number to a set of ports, one set for each
>> department.
>>
>> VLAN number: E.g:  Sales: vlan 10 Marketing: vlan 20 Finance: vlan
>> 30
>>
>> The numbers match the IP subnet numbers, but they don't have to.
>>
>> Using VLAN's is a segregation of the switch's ports into distinct
>> segments.  VLAN 10 will not see any packets from VLAN 20 and vice
>> versa, on the physical switch.  Note this is subtly different than
>> a firewall rule blocking access between IP subnets.
>>
>> At my home, I have a switch with 24 ports.  I have VLANs set up to
>> segregate my entertainment (netflix, youtube) computers from my
>> work and gaming computers.  VLANs are a useful tool.
>>
>> I also have firewall rules restricting access from one subnet to
>> another and so on.
>>
>> I hope this helps.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> On 2020-04-01 6:21 PM, Catherin Gregory wrote: Hi all... Hope you
>>> are all doing ok.
>>>
>>> Is not "network segmentation" the same as packet filtering?
>>>
>>> Or is segmentation the same as segregation? Please enlighten me.
>>> Thanks.
>>>
>>> Segregation is typically achieved by a combination of firewalls
>>> <https://en.wikipedia.org/wiki/Firewall_(computing)> and VLANs
>>> <https://en.wikipedia.org/wiki/VLAN> (Virtual Local Area
>>> Networks). Software-Defined Networking
>>> <https://en.wikipedia.org/wiki/Software-Defined_Networking> (SDN)
>>> can allow the creation and management of micro-segmented
>>> networks.
>>> https://en.wikipedia.org/wiki/Network_segmentation#Controlling_visitor_access
>>>
>>>
>>>
Cody
>>>
>>>
>>
>> -- NetSIG mailing list NetSIG at vicpimakers.ca
>> http://vicpimakers.ca/mailman/listinfo/netsig_vicpimakers.ca
>

More information about the NetSIG mailing list