Wednesday, August 17, 2016

Network Segmentation and VLAN

If not redirected, please click here

We all know, absolute security is a myth. And, many a times, even though we try to enforce security to our best, attackers manage to gain unauthorized access to the network. Attackers, once they gain unauthorized access to a network, try to move across the network, so that they can gain access to the required systems to obtain sensitive data.

So, once the attackers manage to gain unauthorized access to the network in spite of all the security measures, the best way to thwart them is to restrict their movements across the network. And, that is the main motivation behind network segmentation.

Network segmentation is splitting the network into smaller sub-networks, mainly for the purpose of boosting performance and improving security. If attackers manage to gain unauthorized access to a network, network segmentation can limit further movement of the attackers across the network.

Advantages of Network Segmentation

There are a number of advantages of using network segmentation. A number of them are mentioned below:

Reducing Congestion

More the number of devices in a network, more is the collision while transmission of data. And so, if the number of devices in a network keeps increasing, the performance of the network reduces. One way to reduce the collision is to reduce the number of devices in the sub-network, so that the chances of collision reduces.

Using network segmentation, a network can be split into different smaller sub-networks, so that the number of devices in a single sub-network reduces. And thus, there will be less chance of collision within a sub-network, which in turn can increase the performance of the network.

Controlling Network Access

Network segmentation can be used to control what all users should access which part of the network. For example, in an organization, different groups of employees like HR, server administrators, executives etc may need to access their own segregated networks. Even third-parties also should have their own segregated network, so that attackers cannot gain access to sensitive data within the network via a less protected and compromised third-party site.

Network segmentation can be used to segregate a network into different zones, so that certain group of users have access to certain zone of the network only.

Enforcement of Policy

PCI-DSS (Payment Card Industry Data Security Standard) and similar standards provide guidelines for separating cardholders data from the rest of the network, so that even if a part of the network gets compromised, attackers cannot gain access to cardholders sensitive data so easily. Segmenting the network can provide multiple zones, with varying security level, which in turn can help in rigorous enforcement of the policy.

Limiting Network Problems

As network segmentation segments the network into different sub-networks, a local failure in one part of the network does not affect the other parts of the network.

Improved Security

As network segmentation controls the access of different parts of the network, it can restrict the lateral movement of the attackers across the network, in case the attackers manage to gain unauthorized access of a part of the network, thus increasing the security of the sensitive part of the network.

Different ways of segmenting a network

A network can be segmented using bridges, routers and switches. Let’s understand how that can be done.

Network Segmentation using Bridges

Bridging is a technology using which two or more local area networks that use same protocols, like Ethernet or token ring, can be aggregated together. A bridge monitors each message on a LAN. It passes the messages that are destined within the same LAN and forwards those which are destined for a different interconnected LAN.

Bridges learn which addresses are in which network and develops a table, using which it decides on whether a message should be forwarded to a different interconnected LAN. They work in layer 2 of the OSI reference model.

Advantages of network segmentation using bridges

Bridges can segment traffic in a network, and thereby reducing the traffic seen in each sub-network. This improves network response time. It can also compensate for speed discrepancies of two different networks using its buffering capabilities.

Network Segmentation using Routers

When we need to aggregate two or more networks that use different protocols, we can use routers. A router can interconnect two or more networks, enabling communication between them.

Routers function in layer 3 of the OSI reference model. It looks at the destination IP address of each network packet passing through it and consults a table to determine in which network it should be forwarded. Routers can also implement broadcast filters and logical firewalls.

Advantages of network segmentation using routers

There are a number of advantages of using routers in segmenting a network :

  • Routers can interconnect two or more networks that use different protocols.
  • Routers can control broadcasts within the network.
  • Routers can filter inbound and outbound packets between LAN and WAN segments.
  • Routers can fragment large packets into smaller pieces and send them across the network, while bridges discard those.

Network Segmentation using Switches

Switches, like bridges, can enable two or more networks to be interconnected together. But, switching is performed in hardware, instead of software, which makes the communication between the interconnected networks much faster.

A switch learns about the Ethernet addresses of devices of each network, and based on that it creates a table. It examines the source and destination hardware addresses of each fragment passing through it and forwards them to appropriate sub-network consulting the table.

Basic switches function in layer 2 of the OSI reference model. But, there can be layer 3, layer 4 or layer 7 switches also.

Advantages of network segmentation using switches

Switching technology enables a network to be separated into different collision domains, which can improve the network performance significantly. Switches can connect different network types like Ethernet and Fast Ethernet.

Moreover, switches can be used to create VLANs, which can increase security of a network to a great extent.

What is VLAN ?

As discussed earlier, switches can segment a network into different interconnected smaller networks. A basic switch work in layer 2 of the OSI reference model. If we look closely, here is how it works :
When a frame destined for a MAC address enters a switch, such that the destination MAC address is not present in the MAC table of the switch, the switch broadcasts the frame to devices connected to all the ports, except for the port in which the frame was received. The device with the specific MAC address responds to the switch. The switch then stores the MAC address in its MAC table, so that next time a frame arrives with the same destination MAC address, the switch can forward it accordingly. This MAC table is usually stored in a temporary memory in the switch and is rebuilt every time the switch is powered on.

But, broadcast messages like this can eat up considerable bandwidth in a network and raise security concerns also. An attacker can take advantage of the broadcast messages to learn the MAC address of a sensitive device and perpetrate attacks thereafter. And, to prevent that VLANs are used.

Using a smart switch, a network can be segmented into multiple VLANs, such that broadcasts can propagate inside a VLAN, but not outside of it.

A VLAN uses a set of ports of a switch and creates a virtual network, such that devices within the virtual network can talk to each other, but they cannot communicate outside the network. For example, if server 1, server 2 and server 3 of a company are connected to ports 1, 3 and 5 of a switch, and we create a VLAN taking those ports, then the devices connected to those three ports can communicate with each other. But, they cannot communicate to any other device which is not part of the VLAN.

So, if a computer sends a broadcast message requesting the MAC address of server 1, server 2 or server 3 and that computer is not part of the VLAN, then it will not be able to get MAC address of those servers. As a result, VLANs can enhance security of the devices in the network to a great extent.


  1. Very interesting blog. You can use twitter for share your posts.
    My account is: @tylerpaolo

  2. Thanks. Computer Security and PGP is present in twitter also. Twitter handle : @forblogs0