8.22 Segregation of Networks

Groups of information services, users and information systems should be segregated in the organisation’s networks.

Segregation of networks in information security refers to the practice of separating different parts of a network into different subnets or security zones, in order to limit the scope of a security incident and to isolate potentially vulnerable systems from the rest of the network.

This can be achieved through several methods such as:

• VLANs (Virtual Local Area Networks): VLANs allows to create multiple virtual networks on a single physical network, allowing to separate different network segments.
• Firewalls: Firewalls can be used to segment a network by controlling access between different parts of the network.
• DMZ (Demilitarized Zone): A DMZ is a subnet that is used to isolate publicly accessible services, such as web servers, from the rest of the network.
• VPN (Virtual Private Network): VPNs allow remote users to access the internal network securely, while keeping the internal network separate from the public internet.
• Micro-segmentation: Micro-segmentation is a technique that allows to segment a network at a granular level, using software-defined networking (SDN) technology.
• Zero Trust Network: Zero Trust Network is an security concept that assumes that every user, device, and network is potentially compromised, and requires all network traffic to be verified and authenticated before being allowed to pass.
The segregation of networks can improve the overall security of a network by reducing the attack surface, and by making it more difficult for an attacker to move laterally through the network. Additionally, it provides more granular control over access to network resources, and it allows for the implementation of different security measures for different parts of the network.