Network segmentation is a hot topic in IT circles, and it’s time that we addressed this important industry trend with a blog entry. This blog entry will define network segmentation, explain the reasons for segmenting the network, and examine relevant use cases and enabling technologies.
What is network segmentation?
Network segmentation is the practice of dividing a large network into multiple smaller logical networks, or segments. Networks are segmented for a few reasons, but primarily this happens to either improve network security and/or to improve user experience.
How are VLAN and VXLAN used?
Network segmentation is accomplished by one of two primary means, but each is very similar. Virtual Local Area Networks (VLANs) have been the primary method of segmenting networks for decades and shouldn’t be a new concept. VLANs have an inherent barrier that has proven to be a limitation as technology has grown, and that is they are limited to only 4,094 networks per administrative domain. To overcome this limitation, Virtual Extensible Local Area Network (VXLAN) was created that expanded that number to 16 million networks per administrative domain. Subnets, another method of network segmentation, use IP addresses to partition a network into smaller subnets, connected by networking devices. This approach not only allows for more efficient network performance but also serves to contain threats from spreading beyond a particular VLAN or subnet.
Improving security by monitoring east-west traffic
Along with the expansion of the available networks, there are additional benefits that come from network segmentation. The first is to enhance IT security. By segmenting the network, any malware or breach in one segment of the network can be contained to that smaller network segment, making it more difficult to spread throughout the entire network.
Improving performance by reducing the Layer 2 workloads
Next, network segmentation can enhance user experience. You can use segmentation to provide a more personal experience for end users. Network segmentation can also ensure performance (bandwidth) for a group or groups of devices by eliminating or reducing network congestion and interference. Putting guest users on a separate network segment from the corporate network segment that supports business-critical data traffic can also yield performance benefits because devices engaged in business-critical activities no longer compete with visitors accessing applications like streaming video.
Network segmentation terminating at the firewall to improve cybersecurity
When you divide the network up into segments, threats that make it onto the network cannot move laterally across network segments to easily spread to other devices. These smaller segments also make it easier to determine where the threats came from because it is isolated to a smaller network instead of a single large network. Related to the IT security benefits, sequestering some devices and users away from others can also make it easier to achieve regulatory compliance. IT-owned and -managed devices are generally low-risk compared to guest and even internal BYOD devices so being able to place them into their own smaller segments just makes sense.
With network segmentation in place, if one of these higher-risk devices becomes compromised, the threat cannot spread to more critical IT resources on other network segments. When this segmented traffic tries to cross the firewall, it can be blocked and reported, raising the alert sooner of any compromises.
You might also decide that certain IoT devices are at higher risk than other devices on the network and put them in a separate network segment. You could even put every type of IoT device on its own network, separate from other devices and from other network resources that you want to protect. While it’s bad to have any device on your network compromised, network segmentation lets you sequester those devices from others to prevent the threat from spreading. There are enough stories about IoT botnets on the internet that network segmentation in support of IoT merits consideration.
Network segmentation to improve user experience
The IT security use cases apply across a wide variety of industries while the user experience use cases tend to be more industry-specific. Network segmentation makes a lot of sense in the multi-dwelling unit (MDU) sector. An MDU is any environment characterized by multi-household living—think apartment complexes, senior living communities, RV parks, and so on. Dormitories in higher education also fit into this environment.
These types of properties increasingly have managed, enterprise-grade networks rather than the traditional approach where each resident signs up separately with an internet service provider. This provides the benefit of an enterprise-grade network in an environment that normally resembles a suburban neighborhood where residents lose connectivity when they are out of range of their unit. Once an enterprise-style network is in place, network administrators can offer these additional benefits thanks to a unifying infrastructure.
Micro-segmentation to improve user privacy and security
IT teams and managed service providers can use this unified infrastructure to provide personalized networks for residents. Each unit in an MDU property gets its own personal network (VLAN/VXLAN) where residents see only their own devices and not those belonging to neighbors. This isolation improves the resource utilization on the wire as the number of devices that respond to broadcast frames is now limited to a single unit, not the entire property. This feature also maintains the residents’ privacy as their devices and traffic are isolated from their neighbors, and they can’t see their neighbor’s devices and traffic either.
Best of all, their SSID follows them as they visit any amenity on the property with a personalized network with end-to-end wireless across the entire property. It’s a great user experience for residents and can help make a property attract and retain residents. For higher education, personal networks are a great way to meet high student expectations around Wi-Fi-an “at-home” type network but in a dormitory setting.
How to do network segmentation with RUCKUS
RUCKUS® Networks has everything that is needed to enable network segmentation by supporting all the IEEE industry standards. RUCKUS uses VLANs and VXLANs to enable network segmentation where there up to 4,094 VLANs and 16 million VXLANs on the network. As discussed earlier, this limitation is not RUCKUS-specific but rather part of the IEEE 802.1Q standard. VXLANs being able to scale up to 16 million “networks” on a single administrative domain also adds an additional benefit – they can span multiple physical network segments and geographical areas. This is done by design, as VXLANs exist as a Layer 3 overlay on top of the Layer 2 portion of the network.
The heart of the network segmentation engine with RUCKUS is Cloudpath® Enrollment System, our cloud service (also available as on-premises software) for secure network onboarding and access. The beauty of the Cloudpath system is you can use it without RUCKUS® Access Points, SmartZone™ controllers, or ICX® switches, but the full power of Cloudpath technology is only realized when paired with RUCKUS converged controller, RUCKUS Access Points, and ICX® switches.
With a full RUCKUS network, administrators can take advantage of VLANs or VXLANs to accomplish network segmentation based on your needs and capabilities. When you use Cloudpath for network segmentation, you also gain the ability to associate a user identity with each device.
Where to learn more
Learn more about network segmentation by visiting the RUCKUS solution page on the topic, where you will find videos, a solution brief, and more. You can even access our recent case study with AVE Union, an MDU property that uses VLANs to provide personal networks to residents. Network segmentation yields many benefits for enterprise organizations. Don’t hesitate to contact your RUCKUS partner if you are interested in implementing this technology in your environment.
What are the 3 main benefits of network segregation (microsegmentation)?
The three main purposes of network segmentation are:
- Enhanced Security: Network segmentation reduces the attack surface by dividing a flat network into multiple subnetworks or segments. This segregation restricts the lateral movement of attackers within the network. If an attacker breaches the network, they would only have access to a limited part of the network, not the entire system. This is where micro-segmentation comes into play, providing a more granular level of security by applying security policies at the workload level. It’s a key part of a ‘least privilege’ strategy, where each segment has only the access it needs and no more. This approach is particularly important in protecting sensitive data, such as credit card information, in compliance with standards like the Payment Card Industry Data Security Standard (PCI DSS).
- Improved Performance: Network segmentation can lead to better network performance. By segregating network traffic, you can ensure that critical services get the bandwidth they need. This is particularly useful in a data center environment where different types of traffic, such as east-west traffic (traffic flowing between servers in a data center), need to be efficiently managed. Segmentation can also help reduce congestion by limiting unnecessary traffic flow between segments.
- Greater Control and Monitoring: Network segmentation provides better visibility and control over your network. By dividing the network into smaller parts, it’s easier to monitor traffic, identify anomalies, and spot potential breaches. It also allows for more precise access control, with different trust levels for different segments. For instance, endpoints with sensitive data can be isolated from those with a higher risk of compromise. Technologies like Software-Defined Networking (SDN) and virtualization can make this process more manageable and flexible.
Remember, while network segmentation can significantly enhance your cybersecurity posture, it’s not a silver bullet. Network segmentation should be part of a multi-layered defense strategy that includes firewalls, authentication mechanisms, and robust security policies.
Predictive, Pre-Deployment, Post Installation and Health Check Wireless Surveys carried out by certified wireless engineers.
We look at Wi-Fi fundamentals, explore the benefits of and technology behind Wi-Fi 6, Wi-Fi 6E and what the future holds for Wi-Fi 7
Net-Ctrl provide network and structured cabling solutions as either a stand-alone installation, or to compliment products and solutions that we offer.
Connect-the-Classroom scheme is allowing schools to upgrade their infrastructure to a solution that should last 10 years
Net-Ctrl provides two excellent support packages in addition to any equipment purchased. Find out about our Silver or Gold support package
IP-CCTV site survey to assess camera locations and requirement and existing Mobotix solution health checks.
Net-Ctrl offers our Cloud WLAN. Delivering market-leading patented technology managed by the Net-Ctrl engineering team.
Net-Ctrl offers a range of wireless network solutions. We explore some common questions related to these solutions.
Offering end-to-end, affordable and competitive financing solutions to help you achieve your business goals.