Segmentation for Guest, BYOD, IoT, IIoT, SCADA, ICS, and OT
Key Takeaways
- Segmentation (objective 4.1) limits which systems can communicate, shrinking the blast radius of any single compromise.
- Guest, BYOD, IoT, IIoT, and OT devices each carry distinct trust levels and demand distinct network policies.
- VLANs, ACLs, firewalls, NAC/802.1X, separate SSIDs, VRFs, and microsegmentation all enforce separation.
- SCADA/ICS/OT environments prioritize safety and availability (the inverted CIA triad) and tolerate change poorly.
- Good designs are documented as explicit allowed-flow tables, not vague labels like 'IoT is isolated.'
Segmentation for Mixed-Device Environments
Segmentation separates a network by trust level, function, ownership, or compliance need so that a problem in one zone cannot freely spread to another. On the N10-009 exam (objective 4.1), expect scenario questions that hand you a device type and ask which zone and policy it belongs in. Segmentation does not require separate physical hardware. It can be built with VLANs, IP subnets, ACLs (access control lists), firewalls, VRFs (virtual routing and forwarding) instances, distinct SSIDs (service set identifiers), software-defined networking, and NAC (network access control).
The goal is controlled communication: a device reaches exactly what it needs and nothing more. This directly reduces east-west (lateral) movement after a breach.
Device Groups and Trust Levels
| Device group | Common weakness | Segmentation goal |
|---|---|---|
| Guest devices | Unknown ownership and patch state | Internet egress only; client isolation; zero internal routing |
| BYOD (bring your own device) | Personal, unmanaged endpoints | Reach only approved services (VDI, SSO portal, select SaaS) |
| IoT (Internet of Things) | Hard-coded creds, rare patches, cloud dependence | Permit only DNS, NTP, the controller, and one vendor endpoint |
| IIoT (industrial IoT) | Smart-factory sensors and actuators | Isolate from enterprise users; tightly scoped controller flows |
| SCADA / ICS | Supervisory control with real-world safety impact | Shield control LAN from enterprise and Internet exposure |
| OT (operational technology) | Long lifecycle, legacy protocols | Availability and safety first; controlled maintenance windows |
A thermostat, badge reader, IP camera, or printer should never initiate a session to a payroll server. A PLC (programmable logic controller) should not browse the web or accept traffic from office workstations unless a specific, approved flow exists.
Controls That Enforce Segmentation
| Control | What it contributes |
|---|---|
| VLAN + subnet design | Logical separation and clear Layer 3 routing boundaries |
| ACLs | Stateless filtering on router/switch interfaces |
| Firewalls | Stateful policy, zone enforcement, logging, deep inspection |
| NAC + 802.1X | Places a device in the right VLAN based on identity or posture |
| Separate SSIDs | Maps wireless clients to different VLANs and policies |
| VRF | Keeps routing tables fully separate for stronger isolation |
| Microsegmentation | Restricts host-to-host east-west traffic inside a zone |
| Screened subnet (DMZ) | Hosts public-facing services between two firewall layers |
Document the design as a flow policy, not a label. "IoT VLAN is isolated" is far weaker than a table stating IoT may reach DNS, NTP, the IoT controller, and one vendor update host while every other internal destination is denied.
OT, ICS, and SCADA Design Cautions
Operational technology monitors or controls physical processes. ICS and SCADA stacks include sensors, PLCs, HMIs (human-machine interfaces), historians, engineering workstations, and vendor remote support. They carry long hardware lifecycles and strict uptime needs, so the CIA triad is effectively inverted to availability first.
| Requirement | Design implication |
|---|---|
| Safety | Avoid changes that could disrupt a running physical process |
| Availability | Schedule maintenance windows; test failover before production |
| Legacy protocols (Modbus, DNP3) | Compensate with isolation and monitoring when encryption is unavailable |
| Vendor access | Approved path only: jump host, MFA, time limits, full logging |
| Data sharing | Push through a historian or data broker, never direct enterprise-to-PLC |
Worked Example: Placing a Camera Fleet
Suppose a building installs 40 IP cameras that must reach one NVR (network video recorder) plus DNS and NTP, and nothing else. The correct design is a dedicated camera VLAN with a default-deny ACL that permits only: camera-to-NVR on the recording port, camera-to-DNS (UDP 53), and camera-to-NTP (UDP 123). Inter-VLAN routing to the finance, user, and domain-controller subnets is denied. The cameras themselves are auto-placed by 802.1X with MAB (MAC authentication bypass) because they cannot run a supplicant. This satisfies objective 4.1's expectation that you justify both the zone and the allowed flows, not just draw a box.
Contrast that with a flat design where cameras share the user VLAN. A single compromised camera, running outdated firmware with a hard-coded password, could then scan and pivot to a domain controller. Segmentation is what converts that breach from an enterprise incident into a contained camera-VLAN event.
Choosing Between VLAN, VRF, and Microsegmentation
A recurring exam decision is which separation tool fits. Use a VLAN for broadcast-domain and policy separation at the access layer. Use a VRF when two tenants or environments must have entirely independent routing tables, for example keeping a guest routing instance from ever learning routes into the corporate instance. Use microsegmentation (often host firewall or hypervisor policy) when you must restrict traffic between two servers that legitimately share the same VLAN, such as a web tier that may talk to its app tier but never directly to the database tier.
The exam rewards matching the smallest control that achieves the isolation goal.
Common Traps
- A VLAN alone does not secure anything if inter-VLAN routing or an allow-any ACL permits everything between VLANs.
- Guest networks need client isolation and internal deny rules, not just a different SSID name.
- IoT devices typically need outbound cloud access but almost never broad internal access.
- OT remote access must be explicit, logged, time-bounded, and approved.
- A screened subnet (DMZ) is for systems the public must reach; do not place internal-only servers there just because it sounds secure.
- Always test from the source network (for example, from the guest VLAN), not just review a diagram. Validation from the actual host is what catches a forgotten allow-rule or a stale route.
A guest wireless network can reach internal file servers because inter-VLAN routing permits all traffic between subnets. What is the primary design flaw?
Which design is most appropriate for a vendor supporting a SCADA controller in an OT zone?
Which controls can enforce network segmentation? Select three.
Select all that apply