WRITTEN BY: ZACHARY SPRENGER
Network Segmentation: Enhancing Security and Access Control
In my 20 years of working in the IT industry, primarily with small business customers, I have rarely encountered networks large enough to require segmentation. However, with small businesses far outnumbering large corporations, adopting security measures from enterprise environments can be essential. This article outlines the importance of network segmentation and practical use cases for its implementation.
Why Network Segmentation Matters
Network segmentation enhances security by limiting access between network-connected devices, reducing an attacker’s ability to move laterally through a network. Here are key reasons why segmentation is critical:
1. Obfuscation from Attackers:
○ One of the first actions a bad actor takes upon infiltrating a network is performing a ping sweep to map connected devices.
○ If segmentation limits the number of visible devices, an attacker may perceive the network as too small to target and move on.
2. Isolation of Critical Systems:
○ Legacy systems, management interfaces, printers, vendor devices, and PCI-compliant payment systems should not share the same network as standard users.
○ This prevents unauthorized access and minimizes exposure to security vulnerabilities.
3. Guest Network Security:
○ Employees’ personal devices and visiting vendors should connect to a separate VLAN to prevent potential threats from reaching the main network.
Practical Use Case: Small Business Implementation
Consider a small business with the following network infrastructure:
● 20 Desktop Computers
● 4 Laptop Computers
● 2 Wireless Access Points
● 3 Network Printers
● 2 Servers
● 1 Time Clock (connected to a cloud service)
This business allows employees to connect personal devices to Wi-Fi and provides guest access to vendors. The recommended segmentation strategy would be:
VLAN Assignments
VLAN
Purpose
VLAN 10
Time Clock (restricted to vendor’s required ports for internet access)
VLAN 20
Admin Network (desktops and laptops)
VLAN 30
Server Network
VLAN 40
Printer Network
VLAN 50
Guest Wireless Network
VLAN 60
Employee Wireless Network
Access Control List (ACL) Rules
Access between VLANs should be carefully restricted using ACLs to enforce the principle of least privilege:
● Admin VLAN (20) → Allowed to communicate with Server VLAN (30) on DHCP, DNS, SMB, NTP, and specific application ports (as defined by vendors).
● Printer VLAN (40) → Allowed to communicate with Server VLAN (30) on HTTP, HTTPS, and print service protocols (for print server integration).
● Time Clock VLAN (10) → Allowed outbound internet access only on required vendor ports; no internal network access.
● Guest VLAN (50) → Completely isolated from internal business networks.
● Employee VLAN (60) → No direct access to Admin VLAN (20) or Server VLAN (30)—internet access only.
Security Benefits of Segmentation
Without VLANs, all devices would reside on the same network, creating multiple risks:
● A compromised IoT device, like a networked printer or time clock, could provide an entry point for lateral movement.
● Isolating critical systems (e.g., servers and PCI devices) prevents unauthorized access from potentially infected user workstations.
● Restricting guest and employee personal devices ensures they cannot communicate with sensitive internal systems.
By implementing segmentation, businesses enhance security, reduce attack surfaces, and enforce strict access policies while maintaining network efficiency.
