Network segmentation involves segregating the network into logical or functional units called zones. For
example, you might have a zone for sales, a zone for technical support and another zone for research, each of which has different technical needs. You can separate them using routers or switches or using virtual local area networks (VLANs), which you create by configuring a set of ports on a switch to behave like a separate network.
Segmentation limits the potential damage of a compromise to whatever is in that one zone. Essentially, it
divides one target into many, leaving attackers with two choices: Treat each segment as a separate network, or compromise one and attempt to jump the divide. Neither choice is appealing. Treating each segment as a separate network creates a great deal of additional work, since the attacker must compromise each segment individually; this approach also dramatically increases the attacker’s exposure to being discovered.
Attempting to jump from a compromised zone to other zones is difficult. If the segments are designed well, then the network traffic between them can be restricted. There are always exceptions that must be allowed through, such as communication with domain servers for centralized account management, but this limited traffic is easier to characterize.
Segmentation is also useful in data classification and data protection. Each segment can be assigned
different data classification rules and then set to an appropriate level of security and monitored accordingly. An extreme example of segmentation is the air gap — one or more systems are literally not connected to a network. Obviously, this can reduce the usefulness of many systems, so it is not the right solution for every situation. In some cases, however, a system can be sensitive enough that it needs to not be connected to a network; for example, having an air-gapped backup server is often a good idea. This approach is one certain way of preventing malware infections on a system.
Virtualization is another way to segment a network. Keep in mind that it is much easier to segment virtual
systems than it is to segment physical systems. As one simple example, consider a virtual machine on your workstation. You can easily configure it so that the virtual machine is completely isolated from the
workstation — it does not share a clipboard, common folders or drives, and literally operates as an isolated system.
