IS Isolation and Segmentation

Information Security A y t e k i n G u ze l i s , C I S A , C R I S C
 IS
Segmentation
Segmentation is a common and essential technique that is applied to segment an
organization’s network so that each segment can be separately controlled, monitored
and protected. It increases the network security level. Access controls between these
smaller segments should be applied.

Segmenting network traffic enables an organization to keep different types of data

separate from one another.

Segmentation can be physically or logically.

To segment the networks firstly it should be understood the devices and data in the
network. Once you understand what devices are used, who uses them and what data
they have, you can start configuring your segmented networks.
2
 Network without Segmentation IS

Without network
segmentation and
separation, an attacker
could move to other
devices on your network
without being stopped by
access controls or security
policies. An accidental
malicious download by a
user could result in a
widespread network
incident.

https://www.brighthub.com/computing/enterprise-security/articles/67023.aspx 3
 IS
Segmentation-Examples
As a good practice, separate networks can be created for each group of devices that
hold sensitive data. For example; a separate network that contains credit card holder
data, a separate network for finance team and a separate network for all other
business functions.

Network segmentation can be a great way to control and lock-down access to any
legacy systems that organizations might be running. A gateway could be used that
scans for specific vulnerabilities that the legacy systems may be exposed to and
prevent that system from being compromised.

4
 IS
VLANs
The most common approach to network segmentation is the use of Virtual Local Area
Networks (VLANs).

Virtual Local Area Networks (VLANs) are groups of devices on one or more logically
segmented LAN.

A VLAN is set up by configuring ports on a switch, so devices attached to these ports

may communicate as if they were attached to the same physical network segment,
although the devices are actually located on different LAN segments.

A VLAN is based on logical rather than physical connections and, thus, it allows great
flexibility.
5
Traditional Segmentation vs VLANs IS

6
 Network with Segmentation IS

7
https://www.brighthub.com/computing/enterprise-security/articles/67023.aspx
 IS
DMZ
Organizations separate their internal systems from the Internet using a firewall.

Some services - such as web or mail servers - will need to allow inbound connections
from untrusted networks like the internet. These services can be kept in a DMZ, a
semi-trusted network that the organization controls. Gateways can be used to control
and filter the traffic as it passes between sensitive networks (internal), the DMZ and
the internet.

The DMZ functions as a small, isolated network for an organization’s public servers.

8
 IS
DMZ