Netzwerksegmentierung
Dividing a network into isolated segments (VLANs, subnets, zones) to limit the spread of attackers following an initial breach. A core principle of the defense-in-depth strategy and a prerequisite for Zero Trust.
Network segmentation divides a flat network into isolated zones with controlled access points. The principle is based on a key insight: Attackers will eventually gain access to a network. The question is how far they can spread after the initial breach.
The Problem: Flat Networks
Many companies have a single, large network:
All devices in the same segment: Accounting PC ↔ Production PLC ↔ Domain Controller ↔ Printer ↔ Guest Wi-Fi
Consequence: Malware on the guest laptop → direct access to all other devices. An attacker who compromises a weak link (e.g., an unpatched printer) immediately gains access to the domain controller.
Segmentation Concepts
VLAN (Virtual Local Area Network)
VLANs separate networks at Layer 2 of the OSI model—without physically separating the cables:
| VLAN | Use |
|---|---|
| VLAN 10 | Office network (workstations, laptops) |
| VLAN 20 | Server network (file servers, application servers) |
| VLAN 30 | Management network (switches, routers, DRAC/iLO) |
| VLAN 40 | OT/production network (PLCs, machines) |
| VLAN 50 | DMZ (externally accessible servers) |
| VLAN 60 | Guest Wi-Fi (completely isolated) |
| VLAN 70 | IoT devices (printers, cameras, smart devices) |
Between VLANs: Firewall rules that only allow permitted traffic through.
DMZ - Demilitarized Zone
Internet → Firewall1 → DMZ (web server, mail gateway, VPN) → Firewall2 → Internal
DMZ systems are accessible from the Internet—but strictly separated from internal systems. If a DMZ system is compromised: no direct path into the internal network.
Micro-segmentation
State-of-the-art approach: Segmentation not only at the network level, but at the individual system level.
Instead of: Server VLAN (all servers communicate freely)
Better: Web server A is ONLY allowed to communicate with:
- Database server X on port 5432
- Load balancer on ports 80/443
- All other connections: BLOCKED
Implementation: Software-Defined Networking (SDN), VMware NSX, Cisco ACI, Cloud Security Groups.
Segmentation and Ransomware
Without segmentation:
- Ransomware on workstation X
- SMB broadcast across the network
- All accessible shares encrypted
- Active Directory compromised
- Complete shutdown (all 500 systems)
With segmentation:
- Ransomware on workstation X (Office VLAN 10)
- Firewall blocks SMB to Server VLAN
- Only workstations in the same segment affected
- Servers and domain controllers unaffected
- Recovery in hours instead of weeks
Network segmentation is one of the most effective ransomware protection mechanisms.
Segmentation between IT and OT
Operational Technology (OT)—control systems for production, buildings, and infrastructure—must never be on the same network as IT systems:
IT network ← Firewall (air gap or data diode) → OT network
Permitted traffic:
- Only from IT to OT (not back): reading monitoring data
- No connection from OT workstations to the Internet
Prohibited:
- No direct connections between IT workstations and PLCs
- No Internet access for OT devices
Triton/TRISIS malware (2017): An attack on a refinery’s safety systems was possible because IT and OT were connected.
Compliance Requirements
PCI DSS 1.3: Network segmentation is mandatory for the Cardholder Data Environment—payment systems must be isolated from other networks.
NIS2 Art. 21: Network security and network segmentation are explicit requirements for critical infrastructure.
BSI IT-Grundschutz NET.1.1: Network architecture and design – segmentation as a basic requirement.
ISO 27001 A.8.22: Separation of networks.
