Segmenting your networks is a great way to strengthen your cybersecurity. However, network segmentation can be done either by logical or physical segmentation. In this blog post, we will explain what logical and physical separation is and what the perks are.
What is network segmentation?
An important part of improving your cybersecurity is to work with network segmentation. Network segmentation in computer networks means dividing a network into smaller networks (also called zones or domains) and then introducing strict controls on the network traffic between the zones. The benefits of such splitting are mainly to improve security but also performance.
Protecting information with network segmentation
It is neither practical nor economically justifiable to protect all information in the same way. To safeguard critical information or critical systems, strict network segmentation must be applied with a combination of physical and logical separation. Physical separation creates security zones deployed on physically different hardware appliances. You should however be prudent when using the term “physical separation” since this in some cases may have the same meaning as “air-gapped” separation. Make sure that your counterpart and you use the same meaning of the term when communicating.
Some very strict environments require that the zones are completely separated, i.e “air-gapped”, meaning that there is no physical connection between the zones. This is also sometimes called “galvanic separation”.
But, what is logical separation?
What is logical separation?
Logical separation is the manner of dividing your network into different zones, but allowing different zones to be co-allocated on the same hardware or network cable – less obvious and with less confidence in the separation mechanism strength than physical separation or air-gap.
Where is logical separation appropriate?
Everywhere besides when protecting critical information or systems. Office networks should use logical separation. Different parts of the business create their own zones – finance, marketing, sales, customer service, etc. – each with different authority.
Another important area where logical separation (or even physical separation) is commonly applied is for separating administrative tasks and functions from ordinary user-related tasks and functions. Logical separation works as the inner walls of a fort making it difficult for attackers to proceed within the systems and access the entire IT environment. Hedging logical units is achieved with products that reduce the risk surface and thereby limit the impact of cyberattacks.
Perks with using logical separation
With logical separation, you can reuse the same hardware infrastructure (i.e cables, switches, routers, etc) for different zones. Information that is stored in the different zones is still only available in that zone, meaning that only the people that need said information can access it.
However, when high assurance is required, you should not mix traffic from different security zones in the same hardware or cables. To achieve high assurance, you must use different hardware for the different zones. You can however usually connect these zones using dedicated cross-domain security products, such as data diodes and guards. In this way, only the information you want to cross the zone borders can do so. It is possible to use a handful of solutions for either one-way communication or bidirectional communication – or both.
Do you want to know more about network segmentation? Read our know-how!
Do you have questions? Do not hesitate to contact us!