HxHippy

Network Segmentation

Design secure network segments with VLANs, subnets, and access controls.

Last updated: 2025-01-15

Network Segmentation

Divide networks into isolated segments to limit attack surface and control access.

Why Segment Networks?

  • Limit lateral movement - Contain breaches
  • Reduce attack surface - Fewer targets per segment
  • Compliance - PCI DSS, HIPAA requirements
  • Performance - Reduce broadcast domains
  • Access control - Enforce policies

Segmentation Strategies

VLAN Segmentation

VLAN 10 - Management (10.0.10.0/24)
VLAN 20 - Users (10.0.20.0/24)
VLAN 30 - Servers (10.0.30.0/24)
VLAN 40 - Guest (10.0.40.0/24)
VLAN 50 - IoT (10.0.50.0/24)

Zone-Based Design

                Internet
                   │
              [Firewall]
                   │
         ┌────────┼────────┐
         │        │        │
       [DMZ]   [Internal] [Mgmt]
         │        │        │
      Web/Mail  Workstations  Admin
      Servers   Printers      Network
                             Devices

VLAN Configuration

Linux (802.1Q)

# Create VLAN interface
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 10.0.10.1/24 dev eth0.10
sudo ip link set eth0.10 up

# Persistent (netplan)
network:
  version: 2
  ethernets:
    eth0:
      dhcp4: no
  vlans:
    eth0.10:
      id: 10
      link: eth0
      addresses: [10.0.10.1/24]
    eth0.20:
      id: 20
      link: eth0
      addresses: [10.0.20.1/24]

Switch Configuration (Example)

# Create VLANs
vlan 10
  name Management
vlan 20
  name Users
vlan 30
  name Servers

# Trunk port
interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30

# Access port
interface GigabitEthernet0/2
  switchport mode access
  switchport access vlan 20

Inter-VLAN Routing

Router-on-a-Stick

# Router configuration
interface GigabitEthernet0/0.10
  encapsulation dot1Q 10
  ip address 10.0.10.1 255.255.255.0

interface GigabitEthernet0/0.20
  encapsulation dot1Q 20
  ip address 10.0.20.1 255.255.255.0

Linux Router

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Add routes and firewall rules
iptables -A FORWARD -i eth0.10 -o eth0.20 -j ACCEPT
iptables -A FORWARD -i eth0.20 -o eth0.10 -m state --state ESTABLISHED,RELATED -j ACCEPT

DMZ Design

Internet
    │
[External Firewall]
    │
   DMZ
  ├── Web Server
  ├── Mail Server
  └── Reverse Proxy
    │
[Internal Firewall]
    │
Internal Network

DMZ Firewall Rules

# Allow HTTP/HTTPS to DMZ
iptables -A FORWARD -i eth0 -o dmz0 -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow DMZ to query internal DNS
iptables -A FORWARD -i dmz0 -o internal0 -p udp --dport 53 -j ACCEPT

# Allow DMZ to internal database (specific)
iptables -A FORWARD -i dmz0 -o internal0 -s 10.0.50.10 -d 10.0.30.20 -p tcp --dport 3306 -j ACCEPT

# Deny DMZ to internal (default)
iptables -A FORWARD -i dmz0 -o internal0 -j DROP

Micro-segmentation

Fine-grained segmentation at workload level.

Host-Based Firewall

# Web server - only allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

Container Segmentation

# Docker network isolation
networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge
    internal: true  # No external access

services:
  web:
    networks:
      - frontend
      - backend
  database:
    networks:
      - backend

Access Control Lists

Network ACL

# Block traffic between user segments
iptables -A FORWARD -s 10.0.20.0/24 -d 10.0.21.0/24 -j DROP

# Allow users to servers only on specific ports
iptables -A FORWARD -s 10.0.20.0/24 -d 10.0.30.0/24 -p tcp -m multiport --dports 80,443,22 -j ACCEPT
iptables -A FORWARD -s 10.0.20.0/24 -d 10.0.30.0/24 -j DROP

Monitoring Segmentation

# Log dropped packets
iptables -A FORWARD -j LOG --log-prefix "SEGMENT-DROP: " --log-level 4

# Check for violations
grep "SEGMENT-DROP" /var/log/syslog | tail -20

Segmentation Matrix

Source Destination Allowed
Users Internet HTTP, HTTPS, DNS
Users Servers HTTP, HTTPS, SSH
Users Management None
Servers Internet Updates only
Servers Users Response only
DMZ Internal Specific services

Best Practices

  1. Default deny - Block all, allow specific
  2. Least privilege - Minimal required access
  3. Document policies - Maintain ACL matrix
  4. Monitor traffic - Log inter-segment flow
  5. Regular audit - Verify segmentation
intermediate Security Updated 2025-01-15
  • network segmentation
  • vlan
  • subnet
  • dmz
  • zero trust
  • microsegmentation