Practical Network Scanning
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Segmentation strategy steps

Segmentation design and strategy should be based on the critical asset value or resource, not simply on network boundaries-based isolation. This design strategy should start as a high level network design which segregates the various zones through traditional network boundaries such as DMZ, data center, virtual cloud and campus network. It then consistently drills into each zone to provide isolation between the applications within it:

Virtual LAN (VLAN): A flat local area network segment forms a single broadcast domain. This means that if a user broadcasts information on a LAN, the broadcast will be heard by all other users on the same LAN. To limit the broadcast and to separate users and applications, the LAN segment can be pided into logical segments called VLAN while still sharing the same common wired physical network. In the following diagram, you can refer to the first VLAN as VLAN_1, which is dedicated to the finance team; VLAN_2 is dedicated to HR and VLAN_3 to payroll. All VLANs share the same physical media but are logically separated in order to limit broadcast:

In the following diagram, each color represents a different VLAN. This diagram demonstrates what the connection will look like:

The red cable represents VLAN1, the violet cable represents VLAN2 and the yellow cable represents VLAN3.

Virtual Routing and Forwarding (VRF): Virtualization is a technique which has the great advantage of hiding the physical characteristics of computer resources shared with multiple operating systems. An end user interacts with those resources without even knowing the common shared resources. VRF is a technique for Internet Protocol (IP) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. VRF also increases network security, which is the reason why these VRF resources cannot talk to each other unless they talk via a separate Layer-3 device. The main advantage of VRF is that they can have overlapping IP addresses without having any conflict. For example, in an MPLS network, multiple customers are using the same IP range and service provider resources are shared. VRF provides the flexibility to use the same IP space for multiple customers and security as well. As shown in the following diagram, there are four VRFs and all are using the same IP range on the same router:

上一章目录下一章