Chapter 17. Segmentation
Segmentation is the process of compartmentalizing a network into smaller zones. This can take many forms, both physical and logical. Segmentation has many benefits, especially with regard to security. Unfortunately, however, flat networks with little to no segmentation are still common in many organizations. In this chapter, we will walk through various segmentation practices and designs that can help boost the security of your environment.
Network Segmentation
There are two main approaches to network segmentation: physical and logical. Physical segmentation involves using hardware to divide the network into segments. It requires either the use of equipment already in the environment or additional capital for purchasing new devices (or both). Logical segmentation involves segregating different parts of the network on the same hardware. It requires sufficient knowledge of your specific network, routing, and design. The two approaches are often combined, and both must take many design elements into consideration.
Physical
Network segmentation should start, when possible, with physical devices such as firewalls, switches, and routers. Effectively, this divides the network into more manageable zones, which (when designed properly) can add a layer of protection against network intrusion, insider threats, and the propagation of malicious software or activities. Placing firewalls at all network ingress/egress points will offer control over and visibility into ...
Get Defensive Security Handbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
