Subnetting: Network Security Segmentation Guide

Critical Principles:

• Least Privilege: Only necessary routes between subnets
• Functional Isolation: Separate user, server, IoT networks
• DMZ Placement: Public-facing services in isolated subnets

Enterprise Example:

PCI DSS requires payment systems in isolated subnets (Req 1.2)

Implementation:

• Use /24 for user subnets (250 hosts)
• /28 or smaller for server subnets
• /30 for point-to-point links

Security Measures:

• Layer 3 ACLs: Control inter-subnet traffic
• Private VLANs: Isolate hosts within same subnet
• VACLs: VLAN access control lists

Zero Trust Approach:

Google BeyondCorp implements micro-subnets with device-level auth

Configuration:

• Default DENY all between subnets
• Explicit ALLOW only required ports
• Log all denied attempts

Detection Advantages:

• Anomaly Detection: Baseline per-subnet traffic patterns
• Lateral Movement: Spot cross-subnet scanning
• Containment: Quarantine compromised subnets

Enterprise Tools:

• Darktrace for behavioral analysis
• Cisco Stealthwatch for flow monitoring
• Zeek (Bro) for network metadata

Case Study:

Maersk contained NotPetya by rapidly isolating infected subnets

Key Differences:

• Larger Space: /64 minimum subnet size
• SLAAC: Stateless address autoconfiguration
• Privacy Extensions: Temporary addresses

Security Practices:

• Use /64 for all subnets (prevents scanning)
• Enable RA Guard against rogue routers
• Implement DHCPv6 for auditing

NIST Recommendation:

SP 800-119 recommends separate /64 for each security zone