About Network Segmentation

As a security best practice, we recommend that you segment your network into smaller physical or logical pieces, a practice known as network segmentation.

Internal network segmentation acts as an additional layer of defense to your perimeter security. For example, if an outside attacker breaches your network perimeter, segmentation helps to confine the breach because the attacker cannot traverse segments to connect to your entire network.

Segmentation can also help prevent unwanted connections to network resources from internal users. For example, to better secure internal servers that handle payment processing, you can create a virtual local area network (VLAN) for those servers. Next, you can configure a Firebox policy that allows connections to that VLAN from only the VLANs you specify. Users on other VLANs cannot connect to the payment processing servers.

Segmentation can also help improve network performance because it can reduce traffic congestion. On a flat network, which is network that is not segmented, hosts send traffic across a single broadcast domain. When you divide a flat network into subnets, each subnet represents a smaller broadcast domain. Because there are fewer hosts on each broadcast domain, less traffic occurs on each broadcast domain.

For example, to improve network performance for latency-sensitive applications, you can create a separate physical segment for those application servers. This segmentation helps to make sure congestion caused by lower-priority traffic, such as web browsing, does not affect application performance.

This topic describes these concepts:

Benefits of Segmentation

Network segmentation helps you to better secure your network in several ways:

  • Protect data by allowing connections to network resources from only specific segments
  • Isolate security threats, such as perimeter breaches and malware, to smaller sections of your network
  • Keep your guest and corporate networks separate
  • Meet security requirements defined by industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS)
  • Protect devices on your internal network that have limited built-in security, such as Internet of Things (IoT) devices

Network segmentation can also help to improve network performance so that traffic congestion is less likely to affect critical business applications.

How Segmentation Works

When you segment a network, you divide it into smaller pieces known as segments. Segments can be physical or logical:

On the Firebox, you can create policies that allow connections to network resources from specific segments. For example, you can add policies like these:

  • A policy that allows traffic to a file server from only subnet 10.0.1.0/24
  • A policy that allows traffic to VLAN2 from only VLAN1
  • A policy that allows traffic from all Trusted interfaces (represented by the built-in alias Any-Trusted) to your internal email server
  • A policy that allows traffic from only one Trusted interface to your internal email server

Hosts on one internal network cannot connect to hosts on a separate internal network unless you configure a Firebox policy that allows the connection. For example, if you configure multiple Trusted interfaces, hosts on one Trusted network cannot connect to hosts on a separate Trusted network unless you configure a Firebox policy that allows the connection. In Fireware, the term interface type refers to the security zone. There are three internal interface types (zones): trusted, optional, and custom. For more information about interface types, see About Network Modes and Interfaces.

Basic Topologies

Policies for Segmented Networks

If some traffic must traverse segments on your network, you can create Firebox policies that allow the traffic.

In the policy settings, we recommend that you specify the protocols in use on your network. With this level of granularity, the Firebox allows protocols that users require to complete their work but does not allow unrecognized or untrusted traffic.

Authentication and Segmentation

You can use authentication in addition to network or VLAN segmentation to allow users to connect to resources regardless of the user's physical location on the local network. This is important for users who must log in to computers from different locations in your office.

Authentication Only

As a best practice, we recommend that you implement network segmentation and authentication together. Access control based solely on authentication is less secure because different departments in your company are not segmented from each other.

If multiple physical segments or VLANs are not feasible on your network, it is important to at least implement authentication to control access to resources. Authentication requires users to verify their identity to connect to network resources.

Keep in mind that the Firebox does not handle intra-host traffic that occurs behind switches or routers. For example, if traffic between a user computer and an internal server does not go through the Firebox, the Firebox does not apply policies to that traffic. In this example, you cannot use Firebox policies to allow or deny connections from users and groups to network resources.

See Also

Firebox Configuration Best Practices