Network separation and network access control

The network separation is often an underestimated tool in IT security - but can significantly increase the security level with good and consistent implementation.

Networks are the basic prerequisite for connecting different participants with each other.
These infrastructures have often grown over a long period of time. protective measures like Firewall, Antivirus or regular updates are often implemented, but no longer meet today's security requirements.

Table of Contents

What is the goal of a network separation?

Granular segmentation of the network and sealing off the segments of a firewall is intended to increase the security level, reduce attack surfaces, prevent and/or significantly slow down the spread of defective processes (cf. risk management: “risk reduction”). A detection of attacks should be possible through zoning and access via firewall systems should be limited to what is necessary.

Prerequisites for moving and introducing

a network separation into new and existing network architectures

Procedure: Document inventory of all affected locations, areas and business processes. In this way, the entire network infrastructure with all network participants is recorded cleanly.


Demarcation / out of scope

The concept describes a possible technical approach to divide the network into different segments. Deep configurations are not described. Furthermore, an authorization concept (organizational structure of the company) must be available, based on which security zones can be derived.

Special boundary conditions and restrictions

Due to the combination of different technologies, the complexity is high.

The hardware and software used must be coordinated.

implementation risks

If there are no dependencies or incorrect documentation, on the basis of which firewall rules are created, for example, services may not be available to users. There is a risk of getting lost in micro-management.

With all systems used that are of central importance, it must be avoided that a SPOF (single point of failure) arises. It is recommended to additionally ensure the availability of these systems through a service contract with the manufacturer or service provider.

Do you want to get started as a penetration tester?
Qualify for your dream job with our practice-oriented intensive course!
To the Junior Penetration Tester certificate course

Concept - Prerequisites

Network separation on layers 1 to 7

The implementation of a network separation takes place on all network layers. It is therefore necessary to consider the respective layers of the network infrastructure.

#ISO/OSITCP / IPMinutesSystem
7ApplicationsApplicationSNMP, SMTP, http, DNS, DHCP, LDAP,Firewall, NAC
4TransportTransportTCP, UDP
3mediation/packageInternetIP, ICMPRouter, L3 switch, firewall
2Fusenetwork accessARPSwitch, NAC
1bit transfer Network cable, patch panel


Network segmentation is geared towards “north-south traffic” – that is, the inbound and outbound traffic for the network.

Micro-segmentation introduces another layer of protection for “east-west traffic” – i.e. internal traffic such as client to server, server to server or application to server. Here the segments are reduced - a larger network is divided into smaller network segments.

In a practical analogy to a castle, the network segmentation would be the composite of walls, towers, and deep moats. The micro-segmentation represents the archers on the battlements or the sentries on the doors and gates to important areas. This solution prevents unwanted intrusion.

authorization concept

An authorization concept is not absolutely necessary, but it can be used to determine which accesses are required in order to be able to derive security zones for the network separation. The company organizational chart can serve as a basis for creating an authorization concept.

Permission and role in a network separation

security zones

A security zone is a network area that is separated from other network areas. Traffic into and out of a zone is controlled by security mechanisms. Firewalls are also used in combination with IPS/IDS systems for this purpose. Depending on the protection requirements, communication within a zone can be restricted. This can be implemented by private VLANs. In addition to the authorization concept, zones can also be derived from an IP/VLAN concept.

Examples of zones

Trusted zones:

Only known systems with a specific configuration and a specific status are managed in trusted zones. These systems are classified as trustworthy based on properties such as the version of the operating system, the patch level or whether current end-point protection is available.

DMZ Zones:

Data exchange with the Internet is regulated via a DMZ zone. The DMZ zone has neither a direct connection to the Internet nor to the campus network. Email gateway, reverse proxy, WAF or other security gateway are typically housed in a DMZ.

Management Zones:

Management zones only include systems or services that are used to provide and manage IT infrastructure. Since these systems are usually classified as highly sensitive, access to this zone must be strictly limited. Access from the access area is to be avoided.

zone matrix

WANDMZClientServer & HostingMGMT
WhichWAN X   
Client   X 
Server & Hosting  XX 

Cabling: Layer 1

Structured cabling forms the basis for the operation of high-performance networks for the transmission of data and voice. Here, the requirements for several decades must be taken into account, as well as reserves and flexible expandability, regardless of the application used.

Structured building cabling

  • standardized components
  • hierarchical network topology (star, tree, ...)
  • Comply with recommendations for routing and installation
  • standardized measuring, testing and documentation procedures
  • Support for all current and future communication systems
  • capacity reserve
  • flexible expandability
  • Fail safety through redundant cabling with different routing
  • Compliance with existing standards
  • adequately dimensioned up to the end point


Network areas that should not be connected to each other can already be separated from each other during the cabling. Example of network areas with physical separation:

  • DMZ
  • Network for storage systems
  • separate net for board, BR
  • High-security areas at KRITIS (e.g. production networks or similar)

Note: The cable types and lengths must also be taken into account when selecting the GBIC modules (Gigabit Interface Converter) for connecting the switches and firewalls to one another.

optical fiber 

Hierarchical switch infrastructures (Layer 1 & 2)

The switches are divided into different classes and must be designed for their respective function. A separate IP address range and a separate VLAN must be selected for managing the switches. There are different architecture models - depending on the size of the network:

Three tier architecture

Three Tier Architecture - Hierarchical switch infrastructures

Two tier architecture

Two Tier Architecture - Hierarchical switch infrastructures

Example of a two-tier model

Switches that are not directly connected due to their function must be connected via a dedicated management port. In this case, the management interface has a different IP address than the internal switch. The switch can only be administered via the management interface.

core switches
  • multiple redundant connection to each other
  • Connection of the core firewall
  • ideally, separate routes for the (building) cabling
  • redundant power supplies
core switches
workgroup switches
  • Provision of the campus network for network participants
  • redundant connection to the core switches
  • sufficient number of access ports
  • consider medium-term expansion options
  • connect each participant via a separate port
  • Consider PoE for telephony or cameras
  • stock sufficient replacement devices
Workgroup switches Provision of the campus network for network participants, network separation
server switches
  • are connected via the core switch
  • Provision of the network for the server infrastructure
  • multiple redundant connection to the core switches
  • redundant power supplies
Server switches - are connected via the core switch, network separation
Data switches / SAN
  • connected to server switches via MGMT port
  • no direct connection to the campus network
  • multiple redundant connection
  • redundant power supplies
Data switches connected to server switches via MGMT port, network separation
Virtual switch
Virtual switches connect the virtual NICs of virtual machines to the physical NICs of the hosts. The host can be connected to a dedicated storage network and through other ports to a server switch from the campus network.
  • connected to server switches via MGMT port
  • no direct connection to the campus network
  • redundant connection
  • redundant power supplies
DMZ connected to server switches via MGMT port, network separation

Logical Segments (Layer 2 & 3)

VLAN (Layer 2)

The network is logically separated on layer 2 via VLANs. A switch is divided into several virtual switches with VLANs – also across switches. A 32-bit header is placed in front, which also transports the VLAN ID (12 bit). Packets are only transmitted on the switch ports to participants of a specific VLAN. Technically, VLANs form separate broadcast domains.

There are different types of VLANs:

Port-based VLANs (untagged)

With port-based VLANs, physical switches are divided into multiple logical switches. All switch ports assigned to a VLAN can communicate with each other.




Tagged VLANs

With tagged VLANs, multiple VLANs can be used over a single switch port. Tags are attached to the individual Ethernet frames, in which the VLAN ID is noted to which VLAN the frame belongs.

Private VLANs

Private VLANs restrict communication within a VLAN. A PVLAN contains switch ports that are restricted to only communicate with a specific uplink port or Link Aggregation Group (LAG). The uplink port or LAG is typically connected to a switch, router, or firewall.

Unlike VLAN separation, a PVLAN prevents communication between specific ports on the same VLAN.

Port types of PVLAN:

  • isolated ports
  • Promiscuous ports
  • Community ports (with community n)


Isolated ports can only communicate with the promiscuous port. Promiscuous ports can communicate to all ports. Community ports(s) can communicate to the promiscuous and their own community ports.

 Isolatedpromiscuouscommunities (1)communities (2)
communities (1)-OO-
communities (2)-O-O


IP concept (Layer 3)

The network is divided into segments on layer 3 via the IP protocol. Here, systems are combined or divided according to function, location or other criteria. For example, the second octet can be distinguished by location and the third octet by function: 172.Location.Function.x.

Care must be taken to ensure that the range of hosts is sufficiently large to enable medium-term growth. A sensible addition of additional segments must also be taken into account. The IP address assignment can be static, dynamic or dynamic with reservation. When making a reservation, a network participant always receives the same IP address.

Example of an IP and VLAN concept

IP ranges are defined for different applications. A VLAN is defined for each use case. Networks that offer a high potential for damage are additionally secured by PVLANs by isolating the participants from each other.


Namehost rangeMaskGateway


/ static

 172.16.xx   default (1) –    
Servers (AD) – / 24172.16.4.1static1004
server (mail) – / 24172.16.5.1static105
Server (DB) – / 24172.16.6.1static106 –    
Data172.16.8.1 – / 24172.16.8.1static108 – – –    
Client172.16.12.1 – / 22172.16.12.1dynamic1012 + 2012* (PVLAN)
Client172.16.15.1 – / 22172.16.12.1static1012 + 2012* (with PVLAN) –    
printer laser172.16.20.1 – / 24172.16.20.1static1020
printer labels172.16.21.1 – / 24172.16.21.1static1021 – –    
Periphery172.16.24.1 – / 22172.16.24.1static1024 –    
Telephony172.16.32.1 – / 22172.16.32.1dynamic1032 – –    
Prod.Systems 1172.16.40.1 – / 22172.16.40.1static1040
Prod.Systems 2172.16.44.1 – / 22172.16.44.1static1044
Prod.Systems 3172.16.48.1 – / 22172.16.48.1static1048
Prod.Systems 4172.16.52.1 – / 22172.16.52.1static1052
IoT172.16.56.1 – / 22172.16.56.1static1059 –    
third-party systems172.16.64.1 – / 24172.16.64.1static1064 + 2064* (with PVLAN)
EOL systems172.16.65.1 – / 24 static

1065 + 2064*

(with PVLN)

Transition172.16.68.1 – / 24172.16.68.1dynamic1068
DMZ192.168.200.1 – / 24192.68.200.1static200
transfer network 1192.168.220.1 – / 30-static220
transfer network 2192.168.221.1 – / 29-static221
MGMT192.168.230.1 – / 24192.68.230.1static230

*Private VLAN

Special nets:

transfer network

A transfer network usually connects two, in some cases several, network participants with one another – eg ISP router and perimeter firewall. In a transfer network, the data traffic is only in transit and is not dealt with further.

A transfer network is usually a /30 network. The two hosts that are to be connected to one another fit exactly into a /30 network.

transition network

Network participants are accommodated in the transition network who are legitimate but do not or no longer meet certain requirements. These participants will be excluded from regular operations in whole or in part, temporarily or permanently.

For example:

EPP version is too old > Transition network

EPP version has been updated > Client network

VRF - Virtual Routing and Forwarding

An additional separation on layer 3 can be set up via virtual routers. Here, several virtual routers are operated on a physical routing device. Separate routing instances are operated on a device. Communication between the individual instances is not possible without explicit routing.

Simple representation of a network separation

Simple representation of a network disconnection
Run through attack scenarios under realistic conditions?
You can do it legally in our holistic hacking lab!
To the Junior Penetration Tester course

Firewall (layers 3 to 7)

Firewalls protect one network zone from another. Only required and checked traffic is permitted via a set of rules. Security can also be increased in the set of rules using UTM profiles (Unified Threat Management) for application control, IPS or other mechanisms.

Recommendation: 2-level firewall concept

With a 2-stage firewall concept, the perimeter firewall separates the public from the internal network. The core firewall separates the internal networks from each other and establishes the connection to the perimeter firewall.

Ideally, both firewalls are from different manufacturers. This avoids that one known vulnerability is sufficient to overcome both firewalls. In addition, one Denial of Service Attack from the public network no direct impact on the internal systems.

Various manufacturers rely on an ASIC-based architecture that analyzes the content of data packets in real time and thus accelerates throughput.

Perimeter Firewall

  • High availability
  • Connection to the WAN (ISP router)
  • sufficient throughput with IPsec VPN
  • Side 2 Side VPN
  • Client VPN: IP-Sec
  • Unified Threat Management (AV, IPS, DLP, WEB Filter, Mail, APP, DNS)
  • Gateway and router for all external networks & DMZ

core firewall

  • High availability
  • high throughput even with package inspection
  • Unified Threat Management (AV, IPS, DLP, WEB Filter, Mail, APP, DNS)
  • Proxy:
    • Transparent
    • Explicit
    • TLS inspection
  • Connection via fiber optics and copper
  • Gateway and router for all internal networks

Set of rules

The set of rules defines exactly which sender is allowed to set up connections and transmit data to which target address with which protocol. Traffic that is not allowed is blocked. Desirable: To ensure traceability, log all communication.

Set of rules sender destination address protocol

Example of a 2-level firewall concept

Example 2-level firewall concept as network separation


About intrusion detection systems (IDS) and Intrusion Prevention Systems (IPS), security can be further increased. Such systems continuously monitor the network and detect or prevent security incidents. The related information is logged.

IPS (Intrusion Detection System) and IDS (Intrusion Prevention Systems) are often already integrated in UTM firewalls. Performance varies by manufacturer and firewall model. A dedicated solution is recommended depending on the data throughput of the architecture, and above all the need for protection.

Application Layer Gateway Architecture (Layers 5-7)

Reverse Proxy

A reverse proxy forwards requests from the Internet to an internal web server. As a result, the web server is only addressed via a defined intermediate level. Direct communication from the Internet to the web server is therefore not possible. The reverse proxy thus increases the security of web servers.

The reverse proxy can relieve the web server via its own cache. Access to multiple web servers are distributed - load balancing.

Web Application Firewalls (WAF)

Another application layer protection mechanism is a WAF. Incoming and outgoing traffic is monitored, analyzed, filtered or blocked. For example, applications are protected against attacks such as SQL injection, cross-site scripting (XSS) or cookie poisoning.

WAF functionalities are often already integrated in UTM firewalls. Depending on the data throughput of the architecture and, above all, the need for protection, a dedicated solution is recommended.

Network Access Control (NAC) (Layers 2 to 7)

A NAC implements port-based access control in the LAN and enforces individual security policies throughout the network via a set of rules. As a supplement to the usual security systems such as firewalls, virus protection or intrusion detection systems, the NAC is an important component in the segmentation of networks. A prerequisite for the introduction of a NAC system are managed switches.

By using an NAC, VLANs can be used not only statically but also dynamically. This significantly increases flexibility and reduces the configuration effort.


  • network access control
  • dynamic VLAN management
  • Protection against unauthorized access
  • Localization and identification of all devices in the network
  • Lockout or isolation from foreign devices
  • Detect, localize and ward off attacks on Layer 2 (ARP poisoning, MAC flooding, IP spoofing, etc.).
  • Set of rules


During planning, it must be defined which ports are to be actively managed by the NAC. Ports of core, data, server or DMZ switches are preferably configured statically, as are uplink ports or LAGs (link aggregation)

Groups are defined in the NAC system – eg analogous to the IP & VLAN concept. Based on membership in a specific group, the corresponding port on the switch is moved to the desired VLAN via a set of rules in the event of a defined event (e.g. link up). At link down an action can also be triggered.

Unknown participants can be rejected. As an action, the port can be deactivated for a certain period of time. Alternatively, unknown participants can also be assigned to an isolated network area with a private VLAN.

Various NAC systems are able to check whether end devices meet a certain security standard during authentication. Criteria can be, for example, the patch level of the OS or how up-to-date the EPP is.

Devices that do not meet these requirements can be isolated until all necessary conditions are met. Only then is access to the regular network area granted.

If possible, network access control should also be implemented on vSwitches.

network participant

MAC address authentication

The network participants are clearly identified via the MAC address. Ideally, the MAC addresses are known in advance for new network participants and are entered and assigned in the NAC system. The corresponding VLAN is switched on the access port based on the MAC address. Because MAC addresses can be spoofed, this approach offers only basic protection.

IEEE 802.1X

The certificate-based network access control IEEE 802.1x can be used to further increase the security level. A certificate is stored here on the client, which it uses to log on.

The effort for a successful IEEE 802.1X implementation should not be underestimated. It should also be noted that the certificates must be replaced before the expiry date.


Various properties of a terminal device are recorded with a fingerprint. The fingerprint generated in this way is used to clearly identify (also in combination with the MAC address) the end device.

Secure identification can even be achieved for end devices that do not have IEEE 802.1x support, such as printers, webcams or VoIP telephones.

Internal network participants

Each internal network participant is integrated into the network via its own switch port.

External network participants

External network participants must be connected using a secure method. The most common VPN technology for this is IPSec (Internet Protocol Security).

A good alternative to IPSec is the free software WireGuard. The first version of WireGuard was released on Linux. WireGuard is now available for various operating systems and as an app for Android and iOS.


  • no split tunnel
  • Only allow managed endpoints
  • Authentication, eg against AD
Don't want to waste time on your way to becoming a penetration tester?
In our courses, led by experienced penetration testers, you will learn everything you really need for this.
Go to the Junior Penetration Tester Intensive Course
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!