Demystifying Network Isolation and Micro-segmentation

  1. Project stakeholders matrix
  2. Spreadsheet of new subnets being created
  3. Revised/new network architecture diagrams
  4. List of affected enterprise applications
  5. List of required ports and protocols for enterprise applications affected by the migration
  1. DO separate user workstations from internal servers. It is very common to find organizations where user VLANs are on the same network as internal mission critical servers which allows for minimal to no network filtering between the hosts except on endpoints.
  2. DO separate printers onto their own network
  3. DO separate VOIP phones onto their own network
  4. DO only allow the ports needed by the applications. If you don’t know what they are, this is an opportune time to work more closely with the application owners more than you ever have before to better understand their applications and requirements. Schedule meetings with each app owner and document the ports and protocols and traffic direction for each of their enterprise applications.
  5. DO define network security controls beyond VACLs for inspecting and acting on suspect traffic entering each VLAN.
  6. DO NOT consider the user VLANs as being a trusted network
  7. DO consider architecting the network in layers of trust from high to low like layers of an onion.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store