Small Business Network Segmentation

Network segmentation is the practice of dividing a computer network into smaller, isolated subnetworks, also called network segments.

There are a lot of benefits to segmenting a network, and it’s not as difficult as it may sound at first.

When we segment a network, we separate it into subnetworks.

The network traffic that flows through each segment is isolated from the other segments, and we can then analyze and control what happens on each segment independently. This gives us a lot of protection and control, and it can help us respond when an incident occurs.

Segmentation is an essential part of small business cybersecurity, and can be leveraged to significantly improve your security posture.

Technical Detail Alert: For small business owners who aren’t technically oriented, this lesson might be a bit tough. Please don’t get discouraged!

There’s no way to get around technical details because we want to provide useful, practical information to help small businesses who may want to set up their own network segmentation.

If you’re a non-technical person (or not into IT), don’t worry too much about the details in this tutorial! Just try to take in the basics: segmentation is important, we use VLANs to do it, and there are a couple of ways to set up VLANs; we recommend using a firewall.

We are always here to help with any questions, and can help guide you through the process of purchasing and installing a firewall, or we can do it all for you. The important point here is not to get discouraged by the technical details; take what you can and keep moving on to the next lesson.

Segmenting an Office Network – The Classic Example

In order to better understand how network segmentation works, let’s look at how a small, office-based business might segment its network. This is a classic example, and should be helpful even it if doesn’t apply to smaller businesses without an office or separate departments.

In an office network, companies often segment their network based on department in order to protect each department’s network from the others. It also facilitates productivity and can simplify troubleshooting.

For example, employees in the Accounting department typically need access to financial information that other employees in Sales don’t. Conversely, the Sales team may need access to other software that Accounting doesn’t. In other words, they each need access to data and software that the other doesn’t.

By segmenting the network, we can effectively create smaller subnetworks, essentially giving Sales and Accounting their own areas within the company network. But segmentation also has a huge impact on security, too. It can make it difficult or impossible for an attacker to pivot and gain access to different parts of the network.

Segmentation Prevents Pivoting

One of the most important benefits of segmentation is that it helps prevent attackers from pivoting.

Pivoting is a technique used by attackers to move laterally within a compromised network. After gaining initial access to one system, the attacker leverages it as a foothold to access other systems within the network.

In other words, an attacker can use access on one machine to pivot to another, and move through the network.

Network segmentation significantly reduces the risk of pivoting by creating isolated subnetworks, each isolated from the others and with its own access controls and security policies.

For example, in a business with segmented networks, an attacker compromising a guest Wi-Fi network would find it nearly impossible to pivot into an internal corporate network where sensitive data is stored. Without segmentation, the attacker may have unrestricted access to the corporate network from the guest network.

We commonly encounter misconfigured Wi-Fi guest networks that aren’t actually protecting the business and instead present an immediate and critical security risk.

Introducing VLANs

Virtual Local Area Networks (VLANs) are a technology used to logically divide a physical network into separate, isolated segments, even if devices are connected to the same physical hardware.

The term ‘VLAN’ might sound scary, but they aren’t actually that hard to use in the company network. We like to say that they’re easy to get right, but also easy to get wrong.

Let’s use a common scenario as an example. In this case, we decide to create three subnetworks:

  1. The main company network, which we’ll call ‘Company Net’.
  2. A guest network, which we’ll call ‘Company Guest’.
  3. An IoT network, which we’ll call ‘Company IoT’.

We’re going to create a separate VLAN for each one.

We’ll need to use a firewall, managed switch, or router to set up a VLAN for each.

The process is very similar the same whether the network is wired or wireless. However for a wireless VLAN, you will also need a wireless Access Point (AP) with VLAN capabilities. This is a common feature on APs that are small-business grade or better.

Setting Up a VLAN Using Your Existing Router

If you’ve purchased a prosumer or SOHO grade router, there’s a good chance that it can support VLANs, so you may be able to get away without purchasing any hardware like a managed switch, or router.

Be aware that many routers offer VLAN or similar options but don’t have a great way to actually secure them. For example, a lot of routers offer ‘guest network’ functionality but don’t isolate connected devices from those on the main network.

It’s always a good idea to test your VLAN to make sure it’s working as intended. In any case, we recommend eventually purchasing a firewall and using that to manage your VLANs.

Setting Up a VLAN Using a Managed Switch or Firewall

The first step to segmenting a network is getting a managed switch or a firewall. Either will allow you to create and manage VLANs, but the two are very different.

But before we take a look at firewalls, let’s look at other options – managed switches and routers.

What’s A Managed Switch?

A switch is a networking device used to connect devices together using network cable.

There are two kinds of switches, unmanaged and managed:

  • An unmanaged switch takes in data on one of its ports and relays it to the other ports. It works automatically, and there aren’t any options to tweak or software to use.
  • A managed switch gives you access to management software with features like VLANs and the ability to carefully define how network traffic flows through the switch.

Unmanaged switches can’t be used for VLANs, while managed switches can. Switches are incredibly useful, and they can be found in virtually every server rack in the world.

Managed switches can be used to create and manage VLANs, and they work well. However for the purpose of creating primary network segments, we recommend using a firewall. This is because firewalls give you so much more visibility and control over the traffic in each VLAN.

With a managed switch, we can create the VLAN but have limited options (depending on the switch) to actually control the traffic through it. In contrast, firewalls are designed to work with VLANs and provide abundant, security-related options for monitoring and controlling network traffic.

What’s a Firewall?

At first glance, a firewall looks similar to a switch but internally is very different. Firewalls monitor, filter, and control incoming and outgoing network traffic.

The primary purpose of a firewall is to act as a barrier between a trusted internal network and untrusted external networks, such as the internet, to protect against unauthorized access, cyberattacks, and data breaches.

A firewall can create network segments using VLANs, and extend various protections to each VLAN – with individual settings and controls.

Firewalls do a lot under the hood, and they have various methods for preventing, detecting, and responding to attacks.

Why Choose a Firewall For Segmentation?

We recommend that most small businesses use a firewall as a general practice. One of the main reasons is that firewalls facilitate network segmentation with strong security rules in place.

But firewalls also offer a ton of additional security and productivity features that make them a great investment.

The dynamic power of a firewall comes from its position in the network. Firewalls are typically placed at the gateway between the internet and the internal network, and take the place of the primary router. This means that all network traffic goes through the firewall, giving it extensive visibility and control over the entire network.

Firewalls offer Intrusion Prevention and Detection (IDS/IPS) and make use of extensive DNS-based analysis and blocking. They protect the entire network against activity linked to potentially malicious URLs, and offer simple controls for features like ad blocking, social media blocking, video (YouTube) blocking, porn blocking, parental controls, and more.

Firewalls often offer the ability to VPN in to the network, which can be used by employees to access company resources, and it also extends the firewall’s protection to the device even if the device is located elsewhere.

We’ll learn more about firewalls in a later lesson. However, it’s important that we understand the advantages and disadvantages of managed switches vs. firewalls for the purpose of creating and managing VLANs.

  • Firewalls give us many more options to control network traffic, when compared with a managed switch.
  • Depending on the configuration, a firewall often replaces both a router and managed switch.
  • Firewalls offer many advanced security features including VPN.

VLAN Requirements

Now that we’ve looked at the three options for creating VLANs, let’s look at how we would actually implement them.

Whether we’re configuring a VLAN on a firewall, managed switch, or Wi-Fi Access Point, the process is similar. Each VLAN needs two things:

  1. A network name. Choose an appropriate name for the VLAN, like ‘<Company Name> Guest’ for the guest network.
  2. A VLAN ID. This is a number and, although it isn’t mandatory, many organizations use multiples of 10. For example, the first VLAN will have an ID of 10, the second an ID of 20, and so on.

The most important thing is that, depending on how your network is structured, every device in your network has the appropriate VLAN settings.

What this often means is that every link in the chain needs to be set up to work with the VLAN, by giving it the VLANs network name and VLAN ID, and configuring it properly.

Setting the Subnet

It’s common to set the third octet of the subnet IP to be equal to the VLAN ID, and this works well when we use multiples of 10. This can be helpful, in allowing us to more naturally correlate the traffic with the VLAN.

For example, if the main business VLAN has an ID of ’10’ and the guest network has an ID of ’20’ then it can be helpful to set the main business VLAN network IP address to 192.168.10.1 and the guest network to 192.168.20.1. Note that the third octet in each IP address matches the VLAN ID.

Deploying VLANs On Wired Networks

For wired networks, you can use either a managed switch or a firewall. In either case, deployment is straightforward but the specific steps depend on the manufacturer and the software that they provide.

You will need to login to the firewall or switch, and then set the network name and VLAN ID. If you would like to connect more devices than the firewall or switch can handle, you will need to add another switch. This switch does not need to be a managed switch, and unmanaged switches are quite cheap so you may as well get one with plenty of space for growth. If you decide to add capacity by adding managed switches, they will need to be configured to support the VLAN as well.

Deploying WVLANs For Wireless Networks

Wi-Fi has gotten better and better; with the latest iteration (Wi-Fi 7) offering speeds plenty fast enough for work use in most environments. Combined with the convenience and cost-savings of not having to wire everything up, wireless networks are slowly taking the place of traditional wired networks.

With modern Wi-Fi Access Points (APs), it can be easy to configure VLANs for your wireless networks. A wireless VLAN is abbreviated ‘WVLAN’.

The ability to create WVLANs is supported by half-decent APs for home and business use on the market today. Configuration is similar to that of the wired network.

However, wired networks only have one device that needs to be configured (the managed switch or firewall). In contrast, to use wireless VLANs, we need to configure at least two devices: (1) the managed switch or firewall, and (2) each individual Wireless Access Point.

As with wired network VLANs, we need to configure the VLAN using the network name and VLAN ID. Note that the wireless network name (the SSID) will also be the same as the VLAN network name.

Recommended Configurations

Once you invest in the hardware required to create VLANs, there isn’t a cost to adding more VLANs. For this reason, we recommend setting up a number of VLANs:

  • Primary business network
    • You can also divide your network, e.g. by department
  • Guest network
    • Use a firewall to lock this one down with strict rule sets or settings.
  • IoT network
    • IoT devices can present a security risk and also exhibit annoying broadcast behaviors – isolate them in a separate VLAN!
  • A network for particularly critical computers or sensitive data
    • Use a firewall to establish super-strict rules for this VLAN.
  • For home-based businesses, a family network is essential.
    • Many consumer-oriented firewalls (like Firewalla) offer parental control settings.

Segmenting an Office

For small businesses with office locations, we will typically segment based on department. In addition, machines with sensitive information that needs to be protected, may be further segmented with stricter controls implemented.

The office may also offer wireless access including a guest network. In this case, it is absolutely critical that the guest network be fully segmented from the office network.

Segmenting a Storefront

Storefronts are often concerned with having high-performance Wi-Fi for company and guest usage. It’s therefore important to set up a separate guest and company Wi-Fi using VLANs for proper segmentation.

An additional thing for businesses with storefronts to consider is that the Wi-Fi quality of service can be expected to decline when more customers connect to the network.

One advantage of using a firewall to segment the network is the ability to control traffic. We can tell the firewall to prioritize the business network over the guest network so that when a lot of guests show up for an event, the PoS systems will continue to work reliably. It can also be a good idea to isolate the PoS systems on their own VLAN and give them priority.

Segmenting a Home-Based Business

Home-based businesses may need to offer at least three VLANs: one for the business, one for guests, and one for the home.

This can be done using wireless VLANs using a single Wi-Fi access point, as it’s common for home offices to use Wi-Fi exclusively. If the home office uses a wired network connection, configuration is done much the same way.

Unfortunately, VLANs can be easy to set up and also easy to mess up. If you’re having trouble setting up your VLAN or WVLAN, don’t hesitate to reach out!