Microsegmentation

The toolsets of current adversaries are polymorphic in nature and allow threats to bypass static security
controls. Modern cyberattacks take advantage of traditional security models to move easily between
systems within a data center. Microsegmentation aids in protecting against these threats. A fundamental
design requirement of microsegmentation is to understand the protection requirements for traffic within a
data center and traffic to and from the internet traffic flows.
When organizations avoid infrastructure-centric design paradigms, they are more likely to become more
efficient at service delivery in the data center and become apt at detecting and preventing advanced
persistent threats.

Virtual Local Area Network (VLAN)

Virtual local area networks (VLANs) allow network administrators to use switches to create software-based
LAN segments, which can segregate or consolidate traffic across multiple switch ports. Devices that share a
VLAN communicate through switches as if they were on the same Layer 2 network. This image shows
different VLANs — red, green and blue — connecting
separate sets of ports together, while sharing the same
network segment (consisting of the two switches and
their connection). Since VLANs act as discrete networks,
communications between VLANs must be enabled.
Broadcast traffic is limited to the VLAN, reducing
congestion and reducing the effectiveness of some
attacks. Administration of the environment is simplified,
as the VLANs can be reconfigured when individuals
change their physical location or need access to
different services. VLANs can be configured based on
switch port, IP subnet, MAC address and protocols.

Virtual Private Network (VPN)

A virtual private network (VPN) is not necessarily an encrypted tunnel. It is simply a point-to-point connection
between two hosts that allows them to communicate. Secure communications can, of course, be provided
by the VPN, but only if the security protocols have been selected and correctly configured to provide a
trusted path over an untrusted network, such as the internet. Remote users employ VPNs to access their
organization’s network, and depending on the VPN’s implementation, they may have most of the same
resources available to them as if they were physically at the office. As an alternative to expensive dedicated
point-to-point connections, organizations use gateway-to-gateway VPNs to securely transmit information
over the internet between sites or even with business partners.

Knowledge Check
Which term describes a communication tunnel that provides point-to-point transmission of both
authentication and data traffic over an untrusted network? (D4, L4.3.2)
 VPN
 Zero Trust
 DMZ
 None of the Above