Chapter 55 Β· Security Advisory

Segmentation and Access Control

Three advisories covering network segmentation types, access control lists, and application allow/deny lists.

Advisory SEG-2024-001 Β· Network Segmentation
Physical, Logical, and Virtual Segmentation β€” Design, Rationale, and Security Boundaries
Scope: Network Architecture Β· Detection Category: Preventive Control
Severity: High

What Is Network Segmentation?

Network segmentation is the practice of dividing a network into smaller, isolated zones β€” each governed by its own access policies β€” to limit the scope of any security event, improve traffic performance, and satisfy compliance requirements. Without segmentation, a single compromised endpoint has a clear path to every other system on the network. With segmentation, a breach is contained to its origin zone while access controls determine what communication is permitted across boundaries.

Segmentation answers the question: who should be allowed to talk to what, and under what conditions? The answer to that question is then enforced at zone boundaries through firewalls, ACLs, and virtual network policies.

Three motivations drive segmentation decisions, often simultaneously:

  • Performance: High-bandwidth applications benefit from a dedicated subnet or VLAN where other users' traffic cannot interfere with throughput. A video editing workgroup, a backup network, or a VoIP system all perform better when isolated.
  • Security: Strategic segmentation prevents direct communication between system tiers that have no business reason to communicate. The canonical example: users should never communicate directly with database servers. They communicate with application servers; application servers communicate with database servers. Each boundary is an enforcement point.
  • Compliance: Regulatory frameworks mandate segmentation for certain data types. PCI-DSS (Payment Card Industry Data Security Standard) requires that systems handling cardholder data be isolated from the rest of the network. Segmentation contains the PCI scope β€” only systems in the cardholder data environment (CDE) are subject to the full compliance burden. Segmentation also simplifies change control by limiting the blast radius of any configuration change to a single defined zone.

Physical Segmentation

Physical segmentation isolates network zones using separate physical hardware β€” distinct switches, routers, cabling, and network interface cards. Traffic between physically segmented networks must physically traverse a boundary device (a firewall or router with inspection capability). There is no shared physical medium between segments.

Strengths: Provides the strongest possible isolation boundary. An air-gapped network (physically disconnected from all other networks) cannot be reached via network attacks at all. Physical segmentation eliminates the possibility of VLAN-hopping attacks that can sometimes cross logical boundaries on shared hardware.

Weaknesses: Expensive to implement at scale β€” additional hardware is required for each segment. Less flexible β€” reconfiguring physical segmentation requires physical cable changes or hardware moves. Common deployment: industrial control systems (ICS/SCADA), classified government networks, and payment processing environments where the compliance or security requirement justifies the cost.

Logical Segmentation (VLANs)

Logical segmentation uses Virtual Local Area Networks (VLANs) to create isolated broadcast domains on the same physical switching infrastructure. VLAN tags (IEEE 802.1Q) label each Ethernet frame with a VLAN ID, and the switch only forwards traffic within the same VLAN unless explicitly routed across VLAN boundaries.

A single physical switch can simultaneously support a VLAN for workstations, a VLAN for servers, a VLAN for guest Wi-Fi, and a VLAN for management interfaces β€” all isolated from each other at layer 2. Traffic crossing VLAN boundaries must pass through a layer 3 device (a router or layer 3 switch), where ACLs or firewall rules apply.

Strengths: Cost-effective β€” no additional hardware required for segmentation. Flexible β€” VLAN membership can be changed through switch configuration, not physical rewiring. Widely understood and universally supported. Weaknesses: VLAN-hopping attacks (double-tagging, rogue trunk ports) can potentially cross VLAN boundaries if switches are misconfigured. Security requires correct configuration of trunk ports and native VLANs.

Common VLAN design pattern:

VLANPurposeSystemsInter-VLAN Access Rule
VLAN 10 β€” UsersEmployee workstationsDesktops, laptopsAllow outbound to App VLAN on port 443; deny all to DB VLAN
VLAN 20 β€” App ServersApplication tierWeb/app serversAllow outbound to DB VLAN on port 1433; deny direct user inbound
VLAN 30 β€” DB ServersDatabase tierSQL/Oracle serversAccept inbound only from App VLAN; deny all else
VLAN 40 β€” ManagementAdmin accessJump servers, consolesAllow admin IPs only; deny all workstations
VLAN 50 β€” Guest Wi-FiVisitor internet accessGuest devicesInternet only; deny all internal VLANs

Virtual Segmentation (Cloud and SDN)

Virtual segmentation extends the segmentation concept into virtualized and cloud environments β€” where there is no physical infrastructure to segment and no physical switches to configure with VLANs. Virtual segmentation is implemented through software-defined networking (SDN) constructs:

  • Cloud Virtual Networks: AWS VPC (Virtual Private Cloud), Azure VNet, GCP VPC β€” logically isolated network spaces within a cloud provider. Each VPC/VNet is isolated by default; subnets within a VPC provide further segmentation. Security groups and network ACLs enforce traffic rules between subnets.
  • Virtual switches and virtual NICs: Hypervisors (VMware vSphere, Hyper-V, KVM) implement virtual switches that connect VMs. VMs on the same hypervisor host can be placed on separate virtual networks with no physical path between them.
  • Micro-segmentation: Fine-grained segmentation at the workload level β€” each individual VM or container has its own security policy, rather than sharing a policy with all other workloads on the same subnet. East-west traffic (between workloads in the same segment) is subject to inspection, not just north-south traffic crossing a perimeter.

Key advantage: Virtual segmentation is programmatic β€” it can be defined in code (infrastructure-as-code), version-controlled, and deployed automatically at scale. Adding a new workload to a segment requires a configuration change, not a cable run.

The Three-Tier Architecture β€” Segmentation in Practice

The most important security segmentation pattern in enterprise environments is the three-tier architecture, which separates the presentation, application, and data tiers into distinct network zones with enforced access controls between each boundary.

1
User/Presentation tier: Employee workstations, browsers, client apps. Users communicate with the application tier only. Direct database access is blocked at the network boundary.
2
Application/Logic tier: Application servers, web servers, API gateways. Receives requests from users, processes business logic, queries the database. The only systems authorized to speak to the database tier.
3
Database/Data tier: SQL servers, NoSQL stores, data warehouses. Accepts inbound connections only from the application tier. The firewall or ACL between tiers 2 and 3 blocks all other source IPs β€” including direct connections from workstations.

Security implication: an attacker who compromises a workstation cannot reach the database directly. They must first pivot to an application server (a separate compromise) and then access the database through the application server's authorized path. Each tier boundary requires an additional attack step. Exam rule: the only services that should exist in the database zone are SQL and SSH (for administration). Nothing else should be permitted inbound.

Advisory SEG-2024-002 Β· Access Control Lists
ACL Structure, Rule Evaluation, Network and OS Applications, and Configuration Risks
Scope: Network Devices & Operating Systems Β· Detection Category: Enforcement Control
Severity: High

What Is an Access Control List?

An Access Control List (ACL) is an ordered set of rules that a device evaluates against each connection or access request to determine whether to permit or deny it. ACLs are the primary mechanism for enforcing segmentation policies β€” they are the rules that make a segment boundary meaningful. Without ACLs, a VLAN boundary or firewall zone provides structure but no actual enforcement.

ACLs operate on a set of match conditions β€” attributes of the connection being evaluated β€” and an action (permit or deny). When a connection arrives, the device evaluates it against each rule in sequence. The first rule that matches determines the outcome. If no rule matches, the default action applies (typically deny, in a security-hardened configuration).

Match conditions used in ACL rules:

  • Source IP address (or IP range/subnet) β€” who is initiating the connection
  • Destination IP address (or IP range/subnet) β€” what system they are connecting to
  • Port number β€” which service (TCP 80 = HTTP, TCP 443 = HTTPS, TCP 1433 = SQL Server, TCP 22 = SSH)
  • Protocol β€” TCP, UDP, ICMP
  • Time of day β€” allow access only during business hours
  • Application type β€” on next-generation firewalls, application identity regardless of port

ACL Examples β€” Network Level

The granularity of ACL rules can range from coarse (allow/deny an entire subnet) to very specific (allow a single user's IP to access one service on one port during specific hours):

PERMIT src: 192.168.10.0/24 dst: 10.0.20.5 proto: TCP dst-port: 443 β€” User VLAN to App Server HTTPS only DENY src: 192.168.10.0/24 dst: 10.0.30.0/24 proto: ANY β€” Users blocked from DB VLAN entirely PERMIT src: 10.0.20.0/24 dst: 10.0.30.5 proto: TCP dst-port: 1433 β€” App Servers to SQL Server only DENY src: 10.0.20.0/24 dst: 10.0.30.5 proto: TCP dst-port: 22 β€” App Servers cannot SSH to DB Server PERMIT src: 10.0.40.10 dst: 10.0.30.5 proto: TCP dst-port: 22 β€” Management jump server only for SSH DENY src: ANY dst: ANY proto: ANY β€” Implicit deny all (default)

The Prof. Messer example set for comparison:

  • Bob can read files β€” ACL on the file server: Bob (user identity) β†’ PERMIT read on /shared/reports
  • Fred can access the network β€” ACL on the network device: Fred's IP β†’ PERMIT any destination
  • James can access network 192.168.1.0/24 using only TCP ports 80, 443, and 8088 β€” most granular: James (IP) β†’ PERMIT TCP 192.168.1.0/24 ports 80, 443, 8088; implicit DENY all other ports

James's rule demonstrates the power of granular ACLs: even a user with approved network access can be restricted to specific services, preventing any out-of-scope communication even if James's credentials are compromised.

ACLs in Operating Systems β€” File and Resource Permissions

The ACL concept extends directly to operating system resource management. When you configure permissions on a Windows folder, set Linux file permissions, or define group-based access to a share, you are creating an ACL. The structure is the same: a trustee (user, group, or service account) and the access rights allowed (read, write, execute, modify, full control).

In Windows, the Security Descriptor for every file, folder, registry key, and printer contains a Discretionary Access Control List (DACL) β€” the list of trustees and their permissions. The operating system evaluates the DACL on every access attempt and either grants or denies the request based on the requesting user's SID and the rules in the list.

In Linux, traditional file permissions (user/group/other Γ— read/write/execute) are a simplified ACL model. The extended ACL system (setfacl / getfacl) provides the same per-user, per-group granularity as Windows DACLs.

ACL Configuration Risk β€” The Lock-Out Scenario

ACLs are evaluated sequentially β€” the first matching rule wins. This creates a critical configuration risk: a rule added early in the list can inadvertently block traffic that later rules were intended to permit, including administrative access to the device itself.

The lock-out scenario: an administrator adds a "deny all from 192.168.1.0/24" rule to a firewall's management interface ACL to block a suspected attacker. The administrator's own workstation is at 192.168.1.50 β€” now in the denied range. The rule is processed before the previously existing "permit admin workstations" rule. The administrator immediately loses access to the firewall management console and cannot log in to correct the rule.

Prevention practices:

  • Always maintain an explicit permit rule for at least one administrative access path at the top of any management interface ACL, placed before any broad deny rules.
  • When modifying production ACLs, test changes in a lab environment or use a scheduled revert (commit-confirm) that automatically rolls back the change if not explicitly confirmed within N minutes.
  • Document all ACL changes with change management tickets β€” if a lock-out occurs, a colleague with out-of-band access (console port, IPMI) can restore the previous configuration.
  • Never apply a broad deny rule to an interface without verifying that the management access rule appears before it in the ordered rule list.
Advisory SEG-2024-003 Β· Application Allow Lists and Deny Lists
Allow List vs. Deny List Philosophy and the Four Application Control Mechanisms
Scope: Endpoint Security Β· Detection Category: Preventive Control
Severity: Medium

Allow Lists vs. Deny Lists β€” Two Opposite Philosophies

Application control imposes rules on which software may execute on an endpoint. Two fundamentally opposite default stances exist:

PropertyAllow List (Whitelist)Deny List (Blacklist)
Default stanceDeny all β€” nothing runs unless explicitly approvedPermit all β€” everything runs unless explicitly blocked
What you manageThe set of approved applicationsThe set of known-bad applications
Security postureStrongest β€” zero-unknown-application executionWeaker β€” only known-bad blocked; unknown = permitted
Operational burdenHigh β€” every new approved app requires an explicit entryLow β€” only newly discovered malware requires a new entry
Real-world exampleKiosk terminal, payment terminal, industrial controllerAntivirus / anti-malware (signature-based detection)
Failure modeBlocks a legitimate application the admin forgot to approveAllows a new or unknown malicious application not yet on the deny list

The exam distinction: allow lists are more secure because they prevent unknown/unsigned applications from running entirely. Deny lists are more operationally flexible because they don't require pre-approval of every application. Antivirus is the canonical example of a deny-list model β€” it blocks known malware signatures but permits everything not on its list.

The security implication of the deny-list model's failure mode is significant: a brand-new piece of malware (zero-day, novel ransomware variant, custom attack tool) has no signature and will not appear on any deny list. It runs freely. An allow-list environment blocks it by default because it is not on the approved list, regardless of whether it has been identified as malicious.

The Four Application Control Mechanisms

Operating systems β€” primarily Windows, through AppLocker and Windows Defender Application Control (WDAC) β€” implement application control using four distinct criteria for identifying and allowing or blocking applications:

1. Application Hash

A cryptographic hash of the application's executable file is computed and stored in the policy. When an application attempts to run, the OS computes the hash of the binary and compares it to the stored value. If they match, execution is permitted; if they don't, it is blocked.

  • Advantage: Extremely precise β€” the hash uniquely identifies a specific version of a specific binary. An attacker cannot rename a blocked application to bypass this rule.
  • Limitation: Any change to the application β€” including a legitimate software update β€” changes the hash and breaks the rule. The policy must be updated every time an application is patched.
  • Security implication: Even if an attacker renames a malicious executable to "notepad.exe," the hash will not match the legitimate notepad.exe hash and execution will be blocked.

2. Certificate (Digital Signature)

Applications can be controlled based on the digital certificate used to sign the executable. The policy specifies which publishers (certificate issuers) are trusted β€” for example, "allow all applications signed by Microsoft Corporation" or "allow all applications signed by any certificate issued by a trusted CA."

  • Advantage: Does not require updating the policy for every software version β€” all future updates signed by the same publisher are automatically permitted. Scales well for large software inventories.
  • Limitation: A compromised publisher certificate, or malware signed with a stolen or fraudulently obtained certificate, bypasses this control entirely.
  • Real-world deployment: "Allow all applications signed by Microsoft, Adobe, Google, and our internal code signing certificate. Block all unsigned applications."

3. Path (File System Location)

Application control rules can specify that only executables located in designated directories are permitted to run. For example: allow execution from C:\Program Files\, C:\Program Files (x86)\, and C:\Windows\ β€” block execution from C:\Users\, C:\Temp\, and any other user-writable location.

  • Advantage: Prevents a very common malware delivery pattern β€” dropping an executable into a user's Downloads folder or temporary directory and running it from there. Standard malware delivery almost always lands in a user-writable path.
  • Limitation: Does not prevent a compromised application in an approved directory from being used maliciously. An attacker who can write to an approved directory can bypass path-based controls. Also requires that legitimate software installs to standard paths.

4. Network Zone

Windows network zone policies allow application execution rules to be conditioned on the network the device is currently connected to. An application might be permitted when the device is on the corporate private network (domain-joined, connected to an internal IP range) but blocked when the device is on a public network (coffee shop Wi-Fi, hotel internet).

  • Advantage: Reduces attack surface when a device is outside the protected corporate perimeter. Sensitive applications that should only run in a controlled environment can be blocked automatically when the device roams outside it.
  • Limitation: Network zone detection can be spoofed. A VPN connection may satisfy the zone requirement without the device actually being in the corporate office environment. Provides defense-in-depth value but should not be the sole control for high-risk applications.

Defense-in-Depth: Combining All Four Mechanisms

The four application control mechanisms are complementary, not alternative. A robust application control policy in a high-security environment combines multiple mechanisms:

  • Hash-based control for internally developed applications and critical system binaries (where update frequency is managed and hash maintenance is feasible)
  • Certificate-based control for all third-party commercial software (scales across version updates without policy maintenance overhead)
  • Path-based control as a universal baseline rule (block execution from all user-writable locations regardless of hash or certificate β€” catches unsigned/unhashed malware dropped to temp folders)
  • Network zone control for mobile endpoints (restrict high-privilege tools to corporate network only)

The combination addresses each mechanism's individual weakness: hash controls catch renamed/modified binaries even when signed; certificate controls scale across version updates; path controls block the most common malware delivery vectors; zone controls reduce exposure when the device leaves the protected environment.