Сегментация сети

Why Segment Networks

Network segmentation divides a network into isolated zones to limit the blast radius of a breach, simplify FirewallA network security device or software that monitors and filters incoming and outgoing traffic based on predefined rules. Firewalls can block traffic by IP address, port number, protocol, or application-layer content. policy, and meet regulatory compliance requirements. A flat network where every device can reach every other device allows an attacker who compromises one endpoint to move laterally to any other. Segmentation forces traffic between zones through controlled choke points — firewalls, RouterA network device that forwards data packets between different networks by examining destination IP addresses and consulting its routing table. Routers operate at Layer 3 (Network) of the OSI model. ACLs, or NACNetwork Access Control. A security approach that enforces policies on devices attempting to join a network, verifying identity, health (antivirus, patches), and compliance before granting access. Integrates with RADIUS and 802.1X. enforcement points — where policies can be inspected and enforced.

Segmentation Techniques

VLANVirtual Local Area Network. A logical network segmentation technique that groups devices into separate broadcast domains regardless of physical location, using IEEE 802.1Q tagging. VLANs improve security, performance, and manageability. tagging is the most common Layer 2 segmentation mechanism. At Layer 3, separate subnets with inter-VLAN routing through a firewall provide more robust enforcement. Microsegmentation — implemented by host-based firewalls or SDNSoftware-Defined Networking. An architecture that decouples the network control plane from the data plane, enabling centralized, programmable network management through software controllers. SDN improves agility and automation in large networks.-driven policy — extends segmentation down to individual workload pairs, preventing east-west movement even within the same subnet. DMZDemilitarized Zone. A network segment that sits between an organization's internal network and the public internet, hosting public-facing services (web servers, email) while isolating the internal network from direct external access. architecture places internet-facing services in a dedicated segment separated from internal resources. Zero-trust architectures treat all segments as untrusted and require per-connection authentication and authorization.

Segment Design Principles

Effective segmentation groups assets by function, data classification, and trust level. Production databases, developer workstations, IoTInternet of Things. The network of physical devices (sensors, cameras, appliances, vehicles) embedded with connectivity and software that collect and exchange data over the internet. IoT devices often use protocols like MQTT and CoAP. devices, and visitor Wi-Fi each belong in separate segments. Segment boundaries should align with compliance scope: PCI-DSS mandates that cardholder data environments be isolated from other networks. Bastion HostA hardened, publicly accessible server that serves as the sole entry point for administrative SSH or RDP access to an internal network. Bastion hosts (or jump boxes) reduce the attack surface by concentrating and auditing remote access. servers provide controlled cross-segment administrative access without opening broad firewall rules. Open Port Checker helps verify that only permitted inter-segment communication paths exist.