Network Segmentation

I recently was at a site that was considering a reconfiguration of their network. They have multiple vlans, but no segmentation at all. On some subnets, they have end users machines mixed with printers, or end user machines mixed with servers. They had HR users on the same subnet as sales, or finance people.

Personally, I feel each department should always be on their own network, with rules in place to restrict access between those networks. In many cases, even within departments, I think isolated private vlans can be used.

I'm curious how everyone handles network segmentation at the companies you work for. I'm interested how you chose to implement it, from the data center all the way down to the end users.

Feel free to share products/techniques you use, as well

Find more posts tagged with

Comments

Welly_59

What are the vlans for if not segmentation?

MitM

My guess is their thought was this side of the office will be vlan 100, across the way will be vlan 200, the next floor will be vlan 250

Not sure, not my company, just some firewall side work I was doing. I think their internal people will be handling the project

After visiting this site, it made me curious to see how TE members handle segmentation.

jelevated

I wouldn't worry about the user space too much. I used to but realized it wasn't worth the effort. Focus on better access controls for the network resources.

Definitely make sure your DNS is up to snuff, servers are on their own VLAN with good bandwidth, printers, maybe can be on their own VLAN for simplified administration.

TechGromit

I would be careful with your printers, you don't want a situation where the Finance printer is down, but they can't use the HR printer in the next office because it's on a different VLAN.

TheFORCE

TechGromit wrote: »

I would be careful with your printers, you don't want a situation where the Finance printer is down, but they can't use the HR printer in the next office because it's on a different VLAN.

You dont want other departments to print on the HR printer, trust me. People walking over and seeing whatever is left over from an HR person, sensitive info, salary, socials etc that an HR person might forget.

When it comes to printers, have all users be able to print to all the printers in their floor or locations but only map the one that is closest to them. On top of this, use printers that require authentication,(scan your badge type of authentication) to release and print a document. This way, the document will not be printed and left un-attended until the user actually goes to the printer and scans their badge. This solves the above issue i mentioned.

MitM

TheFORCE wrote: »

On top of this, use printers that require authentication,(scan your badge type of authentication) to release and print a document. This way, the document will not be printed and left un-attended until the user actually goes to the printer and scans their badge. This solves the above issue i mentioned.

Yup, in my company, this is exactly what we do. We use UniFlow. We only map that one secure printer. So secure, but not secure at the same time. All printers are labeled with the printer name, so any user can map the individual printer manually

MAC_Addy

MitM wrote: »

Personally, I feel each department should always be on their own network, with rules in place to restrict access between those networks. In many cases, even within departments, I think isolated private vlans can be used.

I am curious as to why you think this? I'm not picking or trying to bash you. I just want to know why you feel that way.

hurricane1091

Honestly, most networks I have seen or heard about have "segmentation", but everyone internal can basically still get to everything. This includes my last job, where everything was tight and right. We had DMZs and what not, but anyone could print anywhere AFAIK.

We segment based on device type mostly. Wireless has a vlan, hardwired user vlan, AP vlan, printer vlan, so on and so forth.

Danielh22185

It's generally best practice to segment users from server environments and if possible to further segment the network equipment into an in-band management subnet as well. Typically servers will have less restrictions thank general users will for the purpose of their availability to the company from an application / business driven purpose. You want to have a layer of security where general people will be plugging into the network. Having segmentation will separate the users from the server vlans / subnets to make it much more manageable.

Segmentation becomes even more important when it comes to wireless access. I myself have recently been working on a project at work locking down our remote guest networks at our remote flex-connect sites. The previous engineer basically didn't know what he was doing and left these sites completely wide open. BYOD devices had full access to corporate resources. oops!

Also segmentation in the form of access lists may be required sometimes too. You might use a particular subnet where you manage network equipment from. You want that subnet only to have network level access. So 1st you need to segment that management subnet into a subnet it can identify with and further place access restrictions on vty lines, SNMP access, etc. Otherwise you might be creating massive access lists for individual hosts which would become a pain and provide no dynamic function.

Also on that note if you have an HR subnet you really want to lock down due to the sensitive content they handle you really need the segmentation in place to be able to control that.

It all kind of depends on your environment and what the requirements of the business are. Generally speaking though you want to separate user subnets from application driven / server subnets and so on, so you can maintain that granular management control.

MitM

MAC_Addy wrote: »

I am curious as to why you think this? I'm not picking or trying to bash you. I just want to know why you feel that way.

Sorry for the late reply, I missed this. I say this mostly for security purposes. Maybe not all departments, but I feel departments like HR and Finance should each be on their own network and restrict access to it. Just for a quick example, I've seen too many people with local admin permissions C$ into computers, that happened to have sensitive data on the local drives. Why sensitive data was on the local drive is another story

I mentioned Private VLANS to help with lateral movement