Network Segmentation
Divide networks into isolated segments to limit attack surface and control access.
Why Segment Networks?
- Limit lateral movement - Contain breaches
- Reduce attack surface - Fewer targets per segment
- Compliance - PCI DSS, HIPAA requirements
- Performance - Reduce broadcast domains
- Access control - Enforce policies
Segmentation Strategies
VLAN Segmentation
VLAN 10 - Management (10.0.10.0/24)
VLAN 20 - Users (10.0.20.0/24)
VLAN 30 - Servers (10.0.30.0/24)
VLAN 40 - Guest (10.0.40.0/24)
VLAN 50 - IoT (10.0.50.0/24)Zone-Based Design
Internet
│
[Firewall]
│
┌────────┼────────┐
│ │ │
[DMZ] [Internal] [Mgmt]
│ │ │
Web/Mail Workstations Admin
Servers Printers Network
DevicesVLAN Configuration
Linux (802.1Q)
# Create VLAN interface
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 10.0.10.1/24 dev eth0.10
sudo ip link set eth0.10 up
# Persistent (netplan)
network:
version: 2
ethernets:
eth0:
dhcp4: no
vlans:
eth0.10:
id: 10
link: eth0
addresses: [10.0.10.1/24]
eth0.20:
id: 20
link: eth0
addresses: [10.0.20.1/24]Switch Configuration (Example)
# Create VLANs
vlan 10
name Management
vlan 20
name Users
vlan 30
name Servers
# Trunk port
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30
# Access port
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20Inter-VLAN Routing
Router-on-a-Stick
# Router configuration
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.1 255.255.255.0
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.1 255.255.255.0Linux Router
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Add routes and firewall rules
iptables -A FORWARD -i eth0.10 -o eth0.20 -j ACCEPT
iptables -A FORWARD -i eth0.20 -o eth0.10 -m state --state ESTABLISHED,RELATED -j ACCEPTDMZ Design
Internet
│
[External Firewall]
│
DMZ
├── Web Server
├── Mail Server
└── Reverse Proxy
│
[Internal Firewall]
│
Internal NetworkDMZ Firewall Rules
# Allow HTTP/HTTPS to DMZ
iptables -A FORWARD -i eth0 -o dmz0 -p tcp -m multiport --dports 80,443 -j ACCEPT
# Allow DMZ to query internal DNS
iptables -A FORWARD -i dmz0 -o internal0 -p udp --dport 53 -j ACCEPT
# Allow DMZ to internal database (specific)
iptables -A FORWARD -i dmz0 -o internal0 -s 10.0.50.10 -d 10.0.30.20 -p tcp --dport 3306 -j ACCEPT
# Deny DMZ to internal (default)
iptables -A FORWARD -i dmz0 -o internal0 -j DROPMicro-segmentation
Fine-grained segmentation at workload level.
Host-Based Firewall
# Web server - only allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROPContainer Segmentation
# Docker network isolation
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true # No external access
services:
web:
networks:
- frontend
- backend
database:
networks:
- backendAccess Control Lists
Network ACL
# Block traffic between user segments
iptables -A FORWARD -s 10.0.20.0/24 -d 10.0.21.0/24 -j DROP
# Allow users to servers only on specific ports
iptables -A FORWARD -s 10.0.20.0/24 -d 10.0.30.0/24 -p tcp -m multiport --dports 80,443,22 -j ACCEPT
iptables -A FORWARD -s 10.0.20.0/24 -d 10.0.30.0/24 -j DROPMonitoring Segmentation
# Log dropped packets
iptables -A FORWARD -j LOG --log-prefix "SEGMENT-DROP: " --log-level 4
# Check for violations
grep "SEGMENT-DROP" /var/log/syslog | tail -20Segmentation Matrix
| Source | Destination | Allowed |
|---|---|---|
| Users | Internet | HTTP, HTTPS, DNS |
| Users | Servers | HTTP, HTTPS, SSH |
| Users | Management | None |
| Servers | Internet | Updates only |
| Servers | Users | Response only |
| DMZ | Internal | Specific services |
Best Practices
- Default deny - Block all, allow specific
- Least privilege - Minimal required access
- Document policies - Maintain ACL matrix
- Monitor traffic - Log inter-segment flow
- Regular audit - Verify segmentation
- network segmentation
- vlan
- subnet
- dmz
- zero trust
- microsegmentation