I know network segmentation is one of those things that has no standard solution. And then you can get into the minutiae of network segmentation versus “micro-segmentation.”
I know some solutions out there are leaning towards all host-based for segmentation. Basically creating an orchestration layer to manage iptables/windows firewall, etc.
However there’s also this concept of segmenting different stuff off into their own vlans and making them go through a NGFW to talk to any other VLAN.
Anyone here doing that? The architecture kind of boggles my mind a bit. For one thing: do the firewalls just sort of replace your core switches at that point? Or do the firewalls hang off the cores like a big router on a stick? Either way, these firewalls will now handle routing for the network.
I am wondering how the solution looks and if that’s viable? Or is host-based segmentation the way to go.
And if you go with host-based, do separate vlans for everything even make sense? Or would you basically do some minimal vlaning and just rely on the orchestrated firewall rules of each host?
No comments:
Post a Comment