Network Infrastructure Security Models (Domain 3)

In this episode, we’re diving into three network infrastructure security models: physical isolation, logical segmentation, and software-defined networking. Each of these models approaches security from a different angle. Some rely on hardware-level boundaries, others on logical controls, and some on centralized programmability. Understanding how these models work—and how they reduce risk—can help you design more secure, scalable, and responsive environments.
Let’s start with physical isolation. Physical isolation refers to keeping systems completely separate from outside networks—including the internet and other internal networks. The most extreme version of this model is the air-gapped network. An air-gapped system has no physical connection to any other network, and data can only be transferred in or out using removable media—often under strict supervision.
Air-gapped environments are commonly used in highly sensitive sectors, such as nuclear power plants, military installations, or classified research labs. These environments are designed to prevent remote access, data leakage, and unauthorized communication with outside systems.
The strength of physical isolation is in its simplicity. If there’s no network connection, an attacker cannot exploit a network path to breach the system. Even zero-day exploits and advanced persistent threats can be rendered ineffective if they rely on remote communication.
But physical isolation also comes with limitations. Updates, backups, and data transfers must be performed manually, which is time-consuming and prone to human error. There’s also the risk of internal threats—if someone introduces malware through a USB drive or other physical medium, the isolation doesn’t help. In practice, physical isolation provides strong perimeter protection, but it must be paired with strict access controls, monitoring, and security hygiene.
Now let’s look at logical segmentation. Logical segmentation uses configuration rather than hardware to divide networks into smaller, isolated segments. This allows organizations to create security boundaries without deploying separate physical infrastructure. Common techniques include Virtual Local Area Networks, subnetting, and micro-segmentation.
A Virtual Local Area Network, or VLAN, groups systems together based on function or department, even if they’re not on the same physical switch. For example, all finance department devices might be on one VLAN, while all human resources devices are on another. Access between VLANs can be tightly controlled using routing rules and firewalls.
Subnetting achieves similar outcomes by dividing IP address space into smaller ranges, limiting broadcast traffic and controlling which devices can communicate directly. This enhances performance and simplifies access control policies.
Micro-segmentation takes this idea further by applying access controls at the application or workload level. In a micro-segmented environment, each system or service has a unique set of rules defining which other systems it can communicate with—and under what conditions. This is especially useful in virtualized or cloud environments, where workloads are dynamic and distributed.
Logical segmentation helps reduce lateral movement. If an attacker compromises one device, they can’t automatically move to others, because traffic between segments is restricted. It also allows for more granular policy enforcement and improves visibility into who is accessing what.
A real-world example of successful segmentation involved a healthcare provider that divided its network into patient systems, administrative workstations, and research devices. When a phishing attack compromised a user in the administrative segment, access to patient data was blocked by routing policies. The incident was contained and resolved before any sensitive records were exposed.
Now let’s explore software-defined networking. Software-defined networking, or SDN, is a model that separates the control plane from the data plane. In simpler terms, this means that instead of configuring each router or switch manually, you manage network policies centrally using software. The SDN controller defines how traffic should flow, and the underlying hardware simply follows instructions.
SDN provides flexibility, scalability, and programmability. Because network behavior is defined in software, changes can be made quickly and consistently across the environment. New policies, routes, and security rules can be deployed almost instantly, and automation tools can respond to threats or performance changes in real time.
There are several security advantages to SDN. Centralized control allows for consistent policy enforcement. Network behavior can be dynamically adjusted in response to incidents. And visibility is improved, since the controller can monitor all traffic patterns from a single vantage point.
However, SDN also introduces risks. If the SDN controller is compromised, an attacker can reprogram the entire network from a single point. The abstraction between software and hardware adds complexity, which can introduce misconfigurations. And because SDN is relatively new, some environments may lack mature tools or well-established best practices.
To secure SDN environments, organizations must protect the controller with strong authentication, encrypt all management traffic, and monitor for policy changes or configuration drift. Role-based access controls should be enforced, and change management processes should be adapted to account for software-defined infrastructure.
As you prepare for the Security Plus exam, understand the differences between physical isolation, logical segmentation, and software-defined networking. You may be asked to recommend the best model for a particular environment or identify risks associated with misconfigured segments or centralized control. Focus on how each model impacts visibility, scalability, and response to threats—and how they can be combined to strengthen overall network defense.

Network Infrastructure Security Models (Domain 3)
Broadcast by