Network security architectures began with a simple model of segregating internal network traffic of an organization from external network traffic. In such a model, internal network traffic is trusted, and external network traffic is untrusted. As a consequence, a device that has access to the internal network of the organization ultimately has access to communicate with any other device on the internal network. This arrangement poses many security issues, however. An attacker who gains access to one device is able to communicate with, and potentially exploit, all other devices on the network. Similarly, an employee who legitimately needs access to one resource on the internal network can inappropriately access other resources on the internal network.
In response to these problems, some organizations started segregating network traffic on a department level or a sub-department level. Devices in different departments can be connected to the internal network using physically separate cabling. For example, accounting department ports can be wired using blue cabling, and customer service department ports can be wired using yellow cabling. The blue cabling can be connected to one physical switch, while the yellow cabling can be connected to another physical switch, thus providing a physical separation between two internal network segments of the organization. Therefore, a device on the accounting department segment cannot communicate with a device on the customer service department segment.
Understandably, physically separate systems can be difficult to implement and maintain. If devices are moved from one port to another, the cabling has to be reconfigured. One solution is to use a virtual local area network (VLAN) architecture. With a VLAN architecture, each port on a router is assigned to a respective virtual network segment. The routers of the organization are configured to route network traffic separately for each virtual network segment. For example, ports corresponding to the devices in the accounting department can be assigned to virtual network segment 0, while the ports corresponding to the devices in the customer service department can be assigned to virtual network segment 1. Although this approach can allow for reconfiguration without having to change physical cabling, it can also be error prone. Moreover, this approach does not account for mobile devices that are not wired into a port or are connected by way of the Internet.