Keep ‘Em Separated – Network Segmentation
When designing a network, the ultimate goal is to create a secure and logical network that works for your business. Each business has their own unique needs and priorities for their business software and IT security. For example, an accountant might value a server that can run their tax software efficiently, while a dental office needs a server that will support their electronic medical records.
Careful thought and consideration of these needs and priorities is required during the design phase of network deployment. One of the most common means of achieving both security and logical design is through network segmentation.
How Network Segmentation Works
In a regular Local Area Network (LAN) with no segmentation devices across the network can access each other with data flowing throughout. This is pretty common for home setups, but when applied to businesses, it becomes chaotic. Through the use of Virtual Local Area Networks (VLAN), we can take that chaos and transform it into separate predictable, efficient, and secure networks. VLANs allow us to segment groups that communicate most often together, making sense of the chaos. For example, if multiple workstations often have to communicate with one server to get access to files and applications, it makes sense to put them into the same VLAN group.
In some cases, segmentation is required to adhere to compliance policies. For example, if you are processing credit card transactions you are also required to segment all systems that hold credit card info or credit cardholder data from any other devices in your network. Imagine what could happen if that data was accessible to everyone in your network. Granted, this type of data isn’t easy to access for your everyday Joe, but if an attacker was to gain access to Joe’s workstation that has access to that credit card data…you get the point. If Joe’s workstation had been compromised on a segmented network the attacker would be unable to access that sensitive data.
Similarly, think about something like a Voice over Internet Protocol (VoIP) phone. Is there any reason that a phone would need to connect to any other device in the network? If you’re hosting the VoIP solution then you’d want that server on the same VLAN, but otherwise, there is no need for any other device to communicate with your phones. An added benefit of segmentation comes in the form of bandwidth allocation. If you had all of your VoIP phones on the same VLAN you could also tweak the bandwidth to provide better performance of that VLAN to ensure crystal clear calling.
Digging further, think about the people in your organization. Maybe you have engineers who need access to a specific server for a project. Does everyone need access to it though? You could set up rules so that only specific users or groups can access specific devices.
There are many different ways to utilize VLANs to work for you. At Internet Contrasts, we specialize in taking your business goals and turning them into technology strategies. Get in touch with us to get started.