← Home

Network Segmentation

Network segmentation is the practice of dividing a computer network into smaller, isolated sections (segments) with controlled communication between them.

Its primary objectives are to:

Each segment has its own security rules and access controls, allowing only authorised communication between networks.

Network Segmentation
Figure – Network segmentation divides a network into isolated segments with controlled communication between them.

Why Network Segmentation is Important

Without Segmentation

With Segmentation


IT and OT Separation

Industrial control systems should not be directly connected to the corporate IT network. Instead, the OT network should be isolated behind a dedicated industrial firewall.

Corporate Network (IT)
      │
  Firewall
      │
Industrial Network (OT)

This creates a secure boundary between:


Firewalls vs Routers

Firewalls

Firewalls are designed to enforce security policies.

Capabilities include:

Firewalls are essential for controlling communication between network segments.


Routers

Routers are designed primarily for forwarding network traffic. Although many modern routers include basic firewall features, routing is their primary function.

Typical router capabilities:

Limitations compared to dedicated firewalls:

For OT security, routers should not replace dedicated industrial firewalls.


Demilitarized Zone (DMZ)

A Demilitarized Zone (DMZ) is a secure buffer network positioned between the corporate IT network and the industrial control system (ICS/IACS) network. Its purpose is to allow controlled communication without permitting direct connectivity between IT and OT.

Corporate Network
      │
  Firewall
      │
      DMZ
      │
  Firewall
      │
Industrial Network

Purpose of the DMZ

The DMZ:


Typical Systems Located in a DMZ

Common services include:

These systems communicate with both IT and OT, but only through tightly controlled firewall rules.


DMZ Communication Rules

Communication should occur only between:

Direct communication between:

should not be permitted.

Every permitted connection should be:


Three-Tier Architecture

A common industrial architecture consists of three security zones:

Enterprise Network
      │
  Firewall
      │
      DMZ
      │
  Firewall
      │
Industrial Control System

Benefits include:

Attackers must bypass multiple independent security layers before reaching critical control systems.


One Firewall or Two?

Single Firewall Architecture

Suitable when:

Requirements:


Dual Firewall Architecture

Recommended when:

Advantages:


Security Best Practices


Key Takeaways


Standards References