Segregating Networks for Security


Sufficient segregation in networks can drastically reduce the impact that a compromise may have on your organisation. Once a foothold has been gained on the network, either through a compromised end point or through other vulnerabilities, an attacker would typically seek to follow permitted communications paths to gain further access to the network. A flat network, that is a network with no clear segregation between trust or security zones, would enable an attacker access into various parts of the network.

This article looks at various methods of maintaining segregation in operational networks to prevent the risk of further attack or compromise.

VLANS (Layer 2)

Layer 2 segregation can be achieved via the use of VLANS. VLANS logically segregate your network into different zones dependant on need to know or role. For example, VLAN A may consist of the payroll department that only have access to specific services or network segments, which differ from VLAN B. This is essentially achieved by using ports on a switch. VLAN segregation can be considered sufficient for low threat environments, where potential attackers are neither dedicated or skilled enough to break segregation. However, in sensitive environments with sophisticated threat actors this becomes more of a risk as skilled attackers are able to perform attacks such as VLAN hopping to route through and increase privileges or access. For example, a VLAN may be used to segregate dirty Internet traffic from other internal, sensitive traffic on the network. An attacker may be able to use switch spoofing or double tagging techniques to gain access to traffic on another VLAN.
Physical Segregation

This is the obvious “air-gap” where the organisation utilise completely separate infrastructure for a particular, sensitive part of the network. This is still considered best practice wherever feasible, however, has higher implications in terms of costs and efforts. It is recommended that organisations identify particularly sensitive aspects of the business and enforce physical segregation here wherever possible. This can include using separate servers, infrastructure and devices on parts of the network that are particularly attractive to attackers. The result of this is that even if a large part of the network is compromised, the crown jewels are kept intact and the business can continue to function.


Organisations should take a risk managed approach to segmenting/segregating their networks. VLANS, or private VLANS with port lock down for further control, can logically segregate a network and should be used as a minimum in segregating the network. The organisation should identify areas/services on the network that are imperative to their business and apply a higher level of control here. For example, financial systems or databases often represent a key area for businesses and the loss of these systems could be catastrophic to working conditions. These are areas that organisations may wish to apply physical segregation for, if the cost/benefit analysis permits. In short, don’t allow one attack or breach of your network to result in a complete shut down or expensive legal/regulatory fines – separate the network into trust or security zones to allow granular control of access.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *