Bazat e Segmentimit të Rrjetit

Fillestar 14 min Siguria e Rrjetit

Hyrje

Network segmentation is the practice of dividing a larger network into smaller, isolated pieces so that a compromise in one piece cannot automatically spread to the others.

Teoria

A flat network — where every device can talk to every other device on Layer 2 — is the worst case for a defender. Once an attacker lands on any host, they can pivot laterally with tools like Mimikatz, PsExec and SMB relay attacks. Segmentation breaks those lateral paths by placing workstations, servers, printers and IoT devices into separate VLANs, each routed through a firewall that enforces an explicit allow-list. Micro-segmentation takes this further and isolates individual workloads, often using software-defined networking or host-based firewalls like Windows Defender Firewall with policy from Intune or a zero-trust controller like Tailscale. The Zero Trust model embraces this idea fully: no device or user is trusted by default, every access request is verified based on identity, device health and context regardless of network location. For small organizations, a practical first step is to put guest Wi-Fi, staff Wi-Fi, printers and IoT devices on four separate VLANs with inter-VLAN ACLs. This single change blocks the majority of lateral-movement techniques used in ransomware incidents.

Mjetet

Teknika dhe mjete:

  • VLAN-et (IEEE 802.1Q) — ndarje në Layer 2.
  • Private VLANs, ACL, VRF — për izolim më të thellë.
  • Microsegmentation me NSX, Calico, Cilium (Kubernetes).
  • Zero-Trust Network Access (ZTNA) — Tailscale, Cloudflare Access, Zscaler.

Praktika

Shembull: krijimi i një VLAN në switch Cisco:

vlan 20
 name DMZ
interface GigabitEthernet0/5
 switchport mode access
 switchport access vlan 20

Në Linux, VLAN me ip:

ip link add link eth0 name eth0.20 type vlan id 20
ip addr add 10.20.0.5/24 dev eth0.20
ip link set eth0.20 up

Ushtrime

  1. Dizajno një rrjet për një kompani të vogël me: servera (DMZ), zyra (LAN), Wi-Fi mysafirësh, VoIP. Ndaji në VLAN dhe vizato trafikun e lejuar.
  2. Shkruaj tre ACL që bllokojnë LAN→DMZ në portat e admin-it por lejojnë LAN→DMZ te porta 443.

Burime

  • CIS Controls v8 — Control 12: Network Infrastructure Management.
  • RFC 5517 — Private VLANs.
  • NIST SP 800-207 — Zero Trust Architecture.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re