Concept and Use Cases
Not all internet devices are the same, and sometimes treating them differently may increase the security and performance of your network. So, instead of having one big flat network at home/work, with network segmentation, you can now create many networks, and each network can be governed by its own rules. This is just like adding rooms and doors (with locks) in the real world.
Network Segmentation divides your network into physical or logical partitions with dynamic and static policies/rules. These subnetworks can be used to give you better security and in some cases help you to speed up the network.
Network Segmentation is only available on the Firewalla Gold.
Use cases for network segmentation include:
- Create a network for kids or employees with their own rules and policies. You can limit access to the internet, filter activities, monitor, and more.
- Create a network for work-from-home access with VPN client enabled
- Create a secure guest network, in order to apply high-level protection to your guests, and manage their activities in real-time.
- Quarantine new devices on any network into one group, with preset rules to block them from accessing the Internet or any certain sites.
- Isolate IoT devices into their own network. For instance, only permit devices like security cameras to talk within their own network.
Firewalla Gold Segmentation supports the following rules/policies:
- Ingress/egress Firewall: manage traffic to and from the internet (with allow and block).
- Segment Firewall: the ability to block traffic from/to other segments.
- Ability to apply any rules and features to any segment.
Here are examples of how these use cases work:
Kids or employees network
At home, you can create a network segment for kids with parental control rules and features. Depending on the situation, it can be similar to Network A where it can access other networks (but not another way around), or Network B where it is restricted from accessing other devices or resources.
If you use Firewalla in the office network, you can create a network to manage employees' network access, similar to kids at home. You can apply rules and features based on company policy. You can also monitor the network segment as a whole including alarms and settings
VPN network for working-from-home
Firewalla's built-in VPN client makes it convenient to work from home through a VPN. In this case, you can create a network with a VPN connection configured, and only include devices that you need to use for work. This way your work communication is always protected (and always on), and will not interfere with internet access by other devices.
You can create a secure guest network similar to Network B in the illustration. See this example on how to create a VLAN for the guest network.
After the guest network is created, you can apply features or rules just to this segment, such as block porn and Family mode. You can also block the guest from talking to any local networks ... but do allow devices from local networks to talk to devices inside the guest network.
New Device Quarantine
With New Device Quarantine turned on, all new devices joining the network will be automatically placed into a Quarantine group, and an alarm will be generated. It is perfect for you to build a super guest network for home and work.
This feature can be turned on for specific networks since App release 1.44.
More details on New Device Quarantine.
For devices that are very purpose-specific, and only need access to specific services, you can isolate IoT devices traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised and only allow trusted connections to come through. For example, on your IoT Network you can
- Block Traffic from & to the Internet.
- Block Traffic from & to all local networks.
- Allow access to ports required by specific services (IP addresses and ports).
Difference between Network Segmentation and Groups
- Groups can only be used to control the network traffic to the internet.
- Network segmentation can be used to control traffic between devices and also to the internet.