Segmentation Design Template
Zone Definitions
Network segmentation divides a flat network into zones based on trust level and function. Each zone contains systems with similar security requirements. Traffic between zones is controlled -- only connections with a documented business justification are allowed.
Standard zones for building infrastructure
| Zone | Systems | Trust Level | Description |
|---|---|---|---|
| Tenant | Wi-Fi access points, guest devices | Untrusted | Open to tenants and visitors. Assume any device in this zone could be compromised. |
| Building Systems | BMS (HVAC, fire suppression, elevators) | High trust | Life-safety systems. Access restricted to authorized management systems only. |
| Surveillance | CCTV cameras, NVRs, CCTV management | Medium trust | Security monitoring. Outbound access needed for third-party management. |
| Access Control | Electronic locks, readers, controllers | High trust | Physical security systems. Access restricted to authorized management systems only. |
| Management | Monitoring (Grafana), administration, backup | Trusted | Operations team access to all zones for monitoring and maintenance. |
Traffic Policy Matrix
Start with default-deny: no traffic flows between zones unless explicitly allowed.
| Source Zone | Destination Zone | Allowed? | Ports | Justification |
|---|---|---|---|---|
| Tenant | Building Systems | Deny | -- | No business justification. Tenant devices must never reach BMS. |
| Tenant | Surveillance | Deny | -- | No business justification. Tenant devices must never reach CCTV. |
| Tenant | Access Control | Deny | -- | No business justification. Tenant devices must never reach door controls. |
| Tenant | Management | Deny | -- | No business justification. |
| Tenant | Internet | Allow | 80, 443 | Tenant internet access. |
| Building Systems | Internet | Allow (limited) | 443 | Firmware updates only. Outbound HTTPS. |
| Building Systems | Management | Allow | Monitoring ports | Health reporting to monitoring systems. |
| Surveillance | Internet | Allow (limited) | 1194 | Third-party VPN for remote CCTV management. |
| Surveillance | Management | Allow | Monitoring ports | Health reporting. |
| Access Control | Management | Allow | Monitoring ports | Health reporting. |
| Management | All Zones | Allow | Monitoring ports | Monitoring, administration, and maintenance. |
For every "Allow" entry, document the specific ports and protocols. "All ports" is never acceptable for inter-zone traffic. The management zone has the broadest access but should still be restricted to specific management protocols and ports.
Implementation Checklist
When implementing segmentation in a Docker environment:
- Create a separate Docker network for each zone
- Assign each container to its appropriate zone network
- Remove containers from the default bridge network (prevents bypass)
- Update application connection strings to use new network hostnames
- Configure inter-network routing for allowed traffic only
- Implement firewall rules enforcing the traffic policy (default-deny)
- Update health checks to work within the segmented topology
- Configure logging to capture cross-zone traffic attempts
- Verify Docker's own iptables rules do not override your firewall configuration
Verification Criteria
Segmentation is not verified by reading configuration files. Segmentation is verified by testing from the attacker's position.
For each "Deny" entry in the traffic policy:
- Nmap scan from the source zone shows destination ports as filtered/closed
- Connection attempt from source zone times out or is refused
- Detection rule fires on the blocked attempt (if detection is configured)
For each "Allow" entry:
- Connection succeeds on the specified ports only
- Connection fails on ports not in the allow list
- Traffic appears in monitoring logs with correct zone labels
For management zone access:
- Management can reach monitoring ports on all zones
- Management cannot reach non-monitoring ports (restricted to management functions)