Network Separation – CompTIA Security+ SY0-401: 1.2

One of the fundamental best practices of network security is to segment the network to prevent access and protect resources. In this video, you’ll learn about network separation and how organizations can use different segmentation strategies in their infrastructure.

<< Previous Video: Spanning Tree Protocol and Loop ProtectionNext: Log Analysis >>


If your organization deals with very sensitive data, you may have not only a requirement to logically separate out the networks on VLANs, but to really create separate physical networks. A physical switch, a physical router, that is completely separated from the other components within your organization.

And when this happens, there’s no overlap. You’re not connecting them together. You’re not somehow creating VLANs between the two. You really are separating them out. This is nice if you’re wanting to really, completely separate that data, because there’s no way you could get into a switch and somehow end up on the private network.

There’s no way that you could reconfigure a router, and somehow end up on that private network. It would really be a separate physical network. When you’re in a very sensitive environment– with customer data, with credit card numbers, with health care information– you may definitely want to consider setting up a physical network, and separate it out.

If you don’t have the ability to do it with physical devices, then maybe your best option is to set it up with virtual LANs, or virtual router-type configurations, or even virtual firewalls. This keeps your costs down.

One of the things that it allows you to do is have these really separated out. The way our technology works these days is, when you virtualize a switch with a VLAN, or you virtualize a firewall, you really are setting up completely separate components. They’re designed not to communicate with each other. And that gives you a lot of flexibility, if you need to protect very, very sensitive data from other parts of the organization.

It’s an interesting idea, isn’t it– a virtual firewall. Here’s how a firewall might look. You have a firewall with a lot of ports on the front of it.

One of the things that you can do is, assign certain ports that would be independent from anything else that’s inside the firewall. Those ports would have their own firewall rules. Those ports would have their own log files. Those ports would have their own reports. Those ports would be completely independent, and you have administration capabilities on this.

You might want to assign ports 1, 2, and 3 to be, kind of, a red network. They’d be their own separate virtual firewall. Then you’d like to, essentially, build a new firewall inside of that, for these other two ports on here.

These ports 1, 2, and 3 cannot see ports 7 and 8, and vice versa. They are completely separated within the firewall. These are virtual firewall systems. And then you can take some other ports, and put them on a third virtual firewall.

You would log into your firewall, and you would only see your firewall. Even though it’s on one physical device, each one of these ports has been administratively assigned so that they cannot talk to each other, they cannot see each other.

If you’re trying to save money and, at a very basic level, really separate out your network, that’s a great way to do it.