Network Segmentation and Port Isolation

2 min read Infrastructure & DevOps Security

Network Segmentation and Port Isolation

Network segmentation limits port exposure by isolating systems into security zones with controlled inter-zone communication. This approach prevents lateral movement and contains potential breaches while maintaining necessary connectivity. Implementing segmentation requires careful planning to balance security with operational requirements.

VLAN-based segmentation provides Layer 2 isolation:

# Configure VLAN interfaces on Linux
sudo apt-get install vlan
sudo modprobe 8021q

# Create VLAN interfaces
sudo ip link add link eth0 name eth0.100 type vlan id 100  # Management VLAN
sudo ip link add link eth0 name eth0.200 type vlan id 200  # Production VLAN
sudo ip link add link eth0 name eth0.300 type vlan id 300  # DMZ VLAN

# Assign IP addresses
sudo ip addr add 192.168.100.1/24 dev eth0.100
sudo ip addr add 192.168.200.1/24 dev eth0.200
sudo ip addr add 172.16.0.1/24 dev eth0.300

# Enable interfaces
sudo ip link set dev eth0.100 up
sudo ip link set dev eth0.200 up
sudo ip link set dev eth0.300 up

Implement port-based access controls between segments:

# iptables rules for inter-VLAN filtering
# Allow management VLAN to access all segments
iptables -A FORWARD -i eth0.100 -j ACCEPT

# Production can only access specific DMZ services
iptables -A FORWARD -i eth0.200 -o eth0.300 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0.200 -o eth0.300 -j DROP

# DMZ cannot initiate connections to internal networks
iptables -A FORWARD -i eth0.300 -o eth0.100 -j DROP
iptables -A FORWARD -i eth0.300 -o eth0.200 -j DROP

Windows network isolation using Windows Defender Firewall:

# Create isolation rules for different server roles
# Database servers - only accessible from app servers
New-NetFirewallRule -DisplayName "SQL Server - App Servers Only" `
    -Direction Inbound -Protocol TCP -LocalPort 1433 `
    -RemoteAddress "192.168.200.0/24" -Action Allow

New-NetFirewallRule -DisplayName "SQL Server - Block Others" `
    -Direction Inbound -Protocol TCP -LocalPort 1433 `
    -Action Block

# Web servers - accessible from DMZ only
New-NetFirewallRule -DisplayName "Web Server - DMZ Only" `
    -Direction Inbound -Protocol TCP -LocalPort 80,443 `
    -RemoteAddress "172.16.0.0/24" -Action Allow