Every business has got assets that can’t be properly secured on their own or assets that need more security than what the rest of the network gets. By placing those assets behind a firewall, an access control list (ACL), or in another VLAN, we can make them more secure. If you want to say that last sentence in one word, you go with “segmentation”. If you want two words, “network segmentation.”

In the small company, the number of devices that need segmentation can be small. They may still be a high percentage of the devices on the network, but it’s still a small number. It’s a small company, after all. If the devices aren’t mobile, segmentation can be as easy as permitting only traffic on ports specified by the vendor and then blocking everything else with the obligatory “deny any any all” rule at the bottom of the ACL. If you have a large number of devices with similar needs, place them in the same VLAN and then apply a single ACL to the whole VLAN. Simple, yes?

Well, yes and no. Often, the network gear in place in a small business is limited in what it can do. If the owner couldn’t afford a switch that can support multiple VLANs or ACLs – or the operating system version that unlocks those features – then you can’t do that easy implementation. The good news is that you might not need to upgrade the entire environment, maybe just one switch that can handle all the sensitive connections and then leave everything else on the lighter-grade switches.

In the medium company, maybe there’s an actual datacenter where all the cool servers go. If so, great! Put a firewall between that datacenter and the rest of the network and start putting rules on it that limit the inbound and outbound traffic. If there’s a business case to have unlimited access, then do so only through a single host, and then log all the activity on that host.

As for the other devices, you’ll be looking at VLANs for the most part to provide that segmentation. The reason comes down to memory available on switching devices for ACL storage. On many devices, it’s limited to where we would not want to have an ACL on every single port. That memory gets exhausted and the switch goes down. Having ports gathered into VLANs and then giving that VLAN an ACL makes much better use of memory on the switches.

The problem now becomes one of defining the address scopes and the routing for those new VLANs, which can be a lot of work even for one VLAN type. Carving out a printer VLAN at 10 different sites is no mean task. What’s more, it means that the IP address management (IPAM) system needs to be kept current with comments for each VLAN type, so that people can understand what’s going on.

And once you start documenting your IPAM, you can’t stop. Or, rather, if you *do* stop, you’ll leave question marks on other network ranges and force someone later on to go back and revisit your work – and that someone might be you!

Large firms may already have VLAN hell and an IPAM with best-effort maintenance. There’s no easy way to put this: you’ll have to clean that up and get processes in place to keep it cleaned up. Network and security teams will have to join in on this effort and it would be best if people on both teams were familiar with the IPAM system being used and what different security ACLs apply to the various VLANs. That means documentation, meetings, documentation of what was said in meetings, meetings to work out issues with the documentation, and so on.

Sorry about all the work that goes with this… but if you want proper segmentation, there needs to be both proper documentation and proper maintenance of the scheme to keep it relevant over time. The small company has the lightest load for documentation, but that might be offset by the need to purchase higher-end gear. For all the other companies, you’ve got the stuff that can do the job, but you’ve got a big job to do.