5.2.2. Firewall Types and Placement Strategies
💡 First Principle: Network segmentation limits the blast radius of a compromise. If every system is on the same flat network, a single compromised workstation can reach every server, every database, every management interface. Segmentation forces an attacker who has breached one segment to breach additional boundaries — each boundary is a detection opportunity and an obstacle that slows lateral movement.
VLAN (Virtual LAN):
VLANs are logical segmentation at Layer 2 — traffic from one VLAN cannot reach another without being routed through a Layer 3 device (router or Layer 3 switch) where access control can be applied. VLANs divide a single physical switch infrastructure into multiple isolated broadcast domains.
VLAN security attacks and defenses:
| Attack | Description | Defense |
|---|---|---|
| VLAN hopping | Switch spoofing: attacker configures their port as a trunk port to access all VLANs | Disable dynamic trunking (DTP); manually configure trunk ports; assign unused ports to unused VLAN |
| Double tagging | Attacker adds two 802.1Q tags; outer tag is stripped at first switch, inner tag delivers to target VLAN | Ensure native VLAN is not used for user traffic; use dedicated native VLAN (e.g., VLAN 999) not present elsewhere |
| MAC flooding | Overwhelm switch CAM table causing it to flood traffic like a hub | Enable port security to limit MAC addresses per port; use 802.1X authentication |
Network Access Control (NAC):
NAC enforces a security policy before a device is allowed to connect to the network. Rather than trusting any device that can physically plug in, NAC evaluates device posture: Is it domain-joined? Is antivirus current? Is the OS patched?
NAC components:
- Posture assessment: Check device compliance before granting access
- Quarantine VLAN: Compliant devices go to the production network; non-compliant go to quarantine for remediation
- 802.1X: IEEE standard for port-based network access control; device authenticates to a RADIUS server before the switch port opens
NAC enforcement methods:
- Pre-admission: Check compliance before connecting; non-compliant = no connection or quarantine
- Post-admission: Monitor behavior after connecting; violation = disconnect
Network zones and trust model:
| Zone | Trust Level | Examples | Controls |
|---|---|---|---|
| Internet | Untrusted | External users, attackers | Perimeter firewall, DDoS protection |
| DMZ | Semi-trusted | Web servers, email relays, public APIs | Firewall rules, WAF, IPS |
| Internal | Trusted | Corporate workstations, internal servers | Internal firewall, IDS, NAC |
| Secure/Restricted | Highly trusted | Financial systems, PII databases, IP repositories | Additional authentication, DLP, enhanced logging |
| Management | Admin only | Network management, jump servers, PAM | Strict IP whitelisting, MFA, session recording |
Micro-segmentation: Extends VLAN-level segmentation down to individual workloads or VMs. In cloud and SDN environments, security policies attach to the workload, not the network segment — a VM can move physical hosts without changing its security policy. East-west traffic (between servers in the same data center) is enforced, not just north-south (in/out of the data center).
Zero Trust Network Access (ZTNA):
- Replaces VPN as remote access architecture
- Access granted per application, not per network segment
- Device posture and user identity verified for every session
- Never implicitly trusts any request based on source IP or network location
⚠️ Exam Trap: VLANs provide traffic isolation — they do not provide encryption. Traffic within a VLAN can still be captured by a device on the same VLAN. If the confidentiality of intra-VLAN traffic matters, separate encryption is required. This is a common architectural confusion: VLANs isolate segments; they don't encrypt communication within a segment.
Reflection Question: A healthcare organization's network has all clinical workstations, administrative PCs, medical devices, and servers on a single flat /16 network with no segmentation. A ransomware attack compromises one workstation and spreads to 400 systems in three hours. Propose a segmentation architecture that would have limited the blast radius, specifying the zones, the controls between zones, and how medical device connectivity would be handled differently from clinical workstations.
