Segmentation Approach Comparison
| Approach | Mechanism | Isolation Strength | Scalability | Defeated By | Primary Use Case |
|---|---|---|---|---|---|
| Air Gap | No physical connection between segments | Maximum β no path exists | Very low β one switch per domain | Physical access only (USB, bridging device) | Classified networks, ICS/SCADA, multi-tenant MSP isolation |
| Physical Segmentation | Separate physical hardware per segment | Very high β separate hardware | Low β dedicated hardware per segment | Physical cable addition or misconfigured bridging device | Enterprise data center tier separation, high-compliance |
| VLAN | IEEE 802.1Q logical tagging on shared physical switch | High β isolated broadcast domains | High β many VLANs per physical switch | VLAN hopping (switch spoofing on misconfigured access ports) | Enterprise departmental segmentation, PCI CDE isolation |
| SDN Virtual Network | Software-defined isolation in hypervisor networking layer | High β enforced by hypervisor | Maximum β thousands of virtual networks per host | Hypervisor vulnerability or misconfigured security groups | Cloud environments β VPCs, security groups, virtual firewalls |
VLAN Mechanics β How 802.1Q Works
| Port Type | VLAN Membership | Frame Tagging | Connected To | Security Consideration |
|---|---|---|---|---|
| Access Port | Exactly one VLAN | Untagged β tag stripped before delivery to device | End devices: computers, printers, servers | Must be statically configured β disable auto trunk-negotiation (DTP) to prevent VLAN hopping |
| Trunk Port | Multiple VLANs | Tagged β 802.1Q tag included on all frames | Other switches, routers, Layer 3 switches | Only designated uplinks β trunk on end-device port is an attack vector |
| Layer 3 Interface (SVI) | One VLAN per SVI | N/A β routes between VLANs | Internal to Layer 3 switch or router | ACLs applied at this interface control all inter-VLAN traffic |
VLAN Use Case Map
| VLAN | Subnet | Purpose | Who Can Reach It | ACL Policy |
|---|---|---|---|---|
| VLAN 10 β Users | 192.168.10.0/24 | Employee workstations | Internet, VLAN 20 (web servers only, port 443) | PERMIT TCP 443 to VLAN 20; DENY direct DB access; DENY management VLAN |
| VLAN 20 β Servers | 192.168.20.0/24 | Application and web servers | VLAN 10 users (port 443), VLAN 30 DBs (port 3306) | PERMIT TCP 3306 to VLAN 30; DENY all inbound from guest |
| VLAN 30 β Database | 192.168.30.0/24 | Database servers | VLAN 20 app servers only (port 3306) | DENY all except TCP 3306 from VLAN 20; IMPLICIT DENY ALL |
| VLAN 40 β Management | 10.0.40.0/24 | Network device management interfaces | IT admin workstations only | DENY all from user/server/guest VLANs; PERMIT only admin subnet |
| VLAN 50 β Guest | 172.16.50.0/24 | Visitor Wi-Fi | Internet only | PERMIT internet access; DENY all access to internal VLANs |
| VLAN 60 β CDE (PCI) | 10.0.60.0/24 | Cardholder data environment | Payment processors only (authorized systems) | DENY all except explicitly authorized PCI systems; strict logging |
SDN Three Planes β Full Reference
| Plane | Also Called | Role | Functions | Physical Equivalent | Security Target? |
|---|---|---|---|---|---|
| Data Plane | Infrastructure layer, forwarding plane | Forwards traffic based on tables built by control plane β the "doing" layer | Frame forwarding, VLAN trunking, NAT address translation, in-line encryption/decryption | Front-panel switch ports where cables plug in | Lower β attackers typically target management or control first |
| Control Plane | Control layer, routing brain | Builds and maintains forwarding tables β the "decision" layer; does not forward traffic itself | IP routing table (static + OSPF/BGP), MAC address table, NAT state tables, session tables, dynamic routing protocol exchange | Switch internal ASICs and CPU that builds the CAM/routing tables | Medium β compromised control plane redirects traffic (route injection, BGP hijacking) |
| Management Plane | Application layer | Configuration and monitoring interface β the "administration" layer | SSH CLI, HTTPS web GUI, APIs (Netconf/RESTCONF/REST), SNMP monitoring | Console port, out-of-band management interface, management IP | Highest β management plane access = reconfigure any security control |
SDN vs. Traditional Networking
| Characteristic | Traditional Network Device | SDN |
|---|---|---|
| All three planes location | Integrated in one physical appliance | Separated β can run on different hardware or in software |
| Provisioning new device | Rack hardware, cable, configure manually | API call β instantiated in seconds |
| Configuration method | CLI / GUI per device (per-device management) | Centralized controller or API β push policy to thousands simultaneously |
| Scaling | Buy, rack, cable, and configure new hardware | Spawn new virtual instance β seconds, no hardware |
| Infrastructure as Code | Difficult β each device configured individually | Native β API management plane enables full IaC integration |
| Security policy consistency | Manual per-device config β drift risk | Controller pushes identical policy to all nodes β no drift |
| Physical requirement | Physical device in rack | Software on commodity hardware or cloud compute |
Management Plane Security Controls
| Risk | Control | Why Required |
|---|---|---|
| Unauthorized access to CLI/GUI | MFA on all management access; SSH keys over passwords | Password-only access is defeated by credential theft |
| Management traffic intercepted | SSH and HTTPS only β disable Telnet, HTTP, SNMPv1/v2 | Telnet/HTTP transmit credentials in plaintext |
| Management access from arbitrary sources | Restrict management plane to dedicated management VLAN; ACL blocks access from production VLANs | Attacker on production network should not be able to reach management interface |
| Unauthorized configuration changes | SIEM logging of all management plane events; alert on out-of-hours changes | Management changes are the mechanism for removing security controls |
| SNMP credential exposure | Use SNMPv3 with authentication and encryption | SNMPv1/v2 community strings are plaintext β readable by anyone on the network path |
VLAN Hopping Attack β Prevention Checklist
| Step | Action | Command Example (Cisco IOS) |
|---|---|---|
| 1 | Explicitly set all end-device ports as access ports | switchport mode access |
| 2 | Assign each access port to its specific VLAN | switchport access vlan 10 |
| 3 | Disable DTP (Dynamic Trunking Protocol) auto-negotiation | switchport nonegotiate |
| 4 | Only configure trunk on deliberate uplinks between switches | switchport mode trunk (on uplinks only) |
| 5 | Explicitly limit which VLANs are allowed on trunk ports | switchport trunk allowed vlan 10,20,30 |