Concept and Use Cases
Network Segmentation divides your network into physical or logical partitions with dynamic and static policies/rules. These subnetworks can be used to give you better security and in some cases help you to speed up the network. Network Segmentation is only available on the Firewalla Gold.
Use cases for network segmentation include:
- Create a network for kids or employees with their own rules and policies. You can limit access to the internet, filter activities, monitoring, and more.
- Create a network for work-from-home access with VPN client enabled
- Create a secure guest network, in order to apply high-level protection to your guests, and manage their activities in real-time.
- Isolate IoT devices into their own network. For instance, only permit devices like security cameras to talk within their own network.
Firewalla Gold Segmentation supports the following:
- Ingress/egress Firewall, ability to manage traffic to and from the internet (with allow and block).
- Segment Firewall, ability to block traffic from/to other segments.
- Ability to apply any rules and features to any segment.
Here are examples of how these use cases work.
Kids or employees network
At home, you can create a network segment for kids with parental control rules and features. Depending on the situation, it can be similar to Network A where it can access other networks (but not other way around), or Network B where it is restricted from accessing other devices or resources.
If you use Firewalla in the office network, you can create a network to manage employees' network access, similar to kids at home. You can apply rules and features based on company policy. You can also monitor the network segment as a whole including alarms and settings
VPN network for working-from-home
Firewalla's built-in VPN client makes it convenient to work from home through a VPN. In this case, you can create a network with VPN client configured, and only include devices that you need to use for work. This way your work communication is always protected (and always on), and will not interfere with internet access by other devices.
You can create a secure guest network similar to Network B in the illustration. See this example on how to create a VLAN for guest network.
After the guest network is created, you can apply features or rules just to this segment, such as block porn and Family mode. You can also block the guest from talking to any local networks ... but do allow devices from local networks to talk to devices inside the guest network.
For devices that are very purpose-specific, and only need access to specific services, you can isolate IoT devices traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised and only allow trusted connections to come through. For example, on your IoT Network,
- Block Traffic from & to Internet.
- Block Traffic from & to all local networks.
- Allow access to ports required by specific services (IP addresses and ports).