A manufacturing firm’s network infrastructure often evolves over time into a “flat network” structure that is not isolated and harbors security risks. In such a setup, everything from office computers to production machines, and even guest Wi-Fi, resides within the same broadcast domain. This not only increases security vulnerabilities but can also negatively impact network performance. This is precisely where I will explain, step-by-step, the experience we had with a manufacturing firm client and how we made this flat network structure more secure and manageable through VLAN segmentation. This post includes not only the technical steps but also the practical challenges and lessons learned from such projects.
Our goal when starting this project was to make the existing flat network structure more secure, manageable, and scalable. Specifically, isolating Operational Technology (OT) devices in the production environment from the Information Technology (IT) network stood out as a critical measure against ransomware and other cyber threats. We planned to achieve these goals through VLAN segmentation and detailed rule definitions on the Sophos firewall. Throughout this process, we meticulously managed numerous stages, from creating a device inventory to port mapping and finally, establishing security policies.
Current State Analysis and Preparation: Risks of a Flat Network
Our client’s network structure was a typical example of a “flat network.” Office computers, servers, and production line OT devices were all on a single broadcast domain. The main risks associated with this situation were:
- Security Vulnerabilities: Malware originating from one device could easily spread to all other devices on the same network. The fact that OT devices often have older operating systems that are difficult to patch exacerbated this risk.
- Performance Issues: A large broadcast domain could generate unnecessary network traffic, consuming bandwidth and slowing down device communication.
- Management Difficulties: Tracking which device was connected to which port, troubleshooting network issues, or adding new devices became quite cumbersome.
- Compliance and Auditing: The absence of network segmentation was a significant deficiency in terms of industrial standards and security audits.
Following this analysis, we decided that the network needed to be logically divided using VLANs. VLANs allow us to segment a physical network into multiple logical networks, thereby isolating traffic. This way, we could create a separate VLAN for production devices, another for office users, and a completely isolated VLAN for guests. This would not only enhance network security but also allow us to better manage traffic and speed up troubleshooting processes.
During the preparation phase, we worked closely with the technical contact on the client’s side. Thoroughly documenting the network structure, determining which devices should reside in which segment, and clarifying that this transition would be handled as a separate project outside the standard maintenance agreement were critical for the project’s success.
Design and Planning: VLANs, IP Addresses, and Firewall Rules
One of the most critical phases of the VLAN segmentation project was detailed design and planning. After analyzing the existing network structure, we determined our logical partitioning strategy, also considering future needs.
First, we decided which devices would be assigned to which VLAN. In making this decision, we considered factors such as device functionality, security requirements, and the status of their operating systems. For instance, OT devices on the production line, often using older protocols and difficult-to-patch systems, were placed in a separate VLAN where the strictest security measures would be applied. Separate VLANs were also defined for office users, servers, and guests.
Next, we designed the firewall rules that would manage traffic between these VLANs. The goal was to approve only necessary traffic and block unnecessary or dangerous traffic. For example, office users needed internet access, while guest users were blocked from accessing internal company resources. Production OT devices were only allowed to communicate with designated servers over specific ports.
On the Sophos firewall interface, we created separate interfaces for each VLAN. These interfaces were mapped to their respective IP subnets. Then, under the “Network” → “Firewall” menu, we wrote detailed rules by specifying source and destination VLANs, services, and application categories. When designing these rules, we applied the principle of “least privilege,” meaning we granted the minimum permission required for a device or user to perform its function.
This design and planning phase formed the foundation of the project. Detailed planning helped minimize the problems encountered during implementation.
Implementation: VLAN and Rule Configuration on Sophos Firewall
It was time to bring the plan we established during the design phase to life. Creating VLAN interfaces on the Sophos firewall and then defining the rules to control traffic between these interfaces constituted the main steps of implementation.
First, in the Sophos interface, we went to the “Network” → “Interfaces” section and added new VLAN interfaces. For each VLAN, we specified an interface name, VLAN ID, and an IP address (usually as a gateway address). For example, for office users, we created an interface named VLAN10_Office, assigned VLAN ID 10, and the IP address 192.168.10.1/24. This process was repeated for the other VLANs we defined.
After creating the VLAN interfaces, we moved to the “Network” → “Firewall” section to start defining the rules. This stage was one of the most detailed and demanding parts of the project. Each rule was configured to allow or block specific traffic from a particular source (VLAN or IP address) to a particular destination (VLAN or IP address), for a specific service (HTTP, HTTPS, RDP, etc.), or application category (Social Networking, File Sharing, etc.).
For example, to allow office users (VLAN 10) to access the internet, we created a rule like this:
- Source Zone: LAN
- Source Network: VLAN10_Office (or 192.168.10.0/24)
- Destination Zone: WAN
- Destination Network: Any
- Service: Any (or specific services like HTTP, HTTPS for stricter control)
- Action: Accept
In contrast, to block guest Wi-Fi (VLAN 40) users from accessing internal servers (e.g., VLAN 30), we added this rule:
- Source Zone: Guest
- Source Network: VLAN40_Guest (or 192.168.40.0/24)
- Destination Zone: LAN
- Destination Network: VLAN30_Servers (or 192.168.30.0/24)
- Service: Any
- Action: Drop
In this manner, network security was maximized by defining the minimum access rights required for each segment.
Device Mapping and Inventory Extraction
As I mentioned, the VLAN segmentation project was not just about creating interfaces and rules. The real challenge was to accurately identify which device was connected to which port and map this information to VLAN assignments. Especially in production environments, device inventories are often incomplete or outdated.
To ensure this mapping process, we used a combination of methods:
- Switch MAC Table: We listed the MAC addresses of devices connected to each switch port. This showed which MAC address was active on which port.
- LLDP (Link Layer Discovery Protocol): Network devices that support LLDP (switches, servers, etc.) exchange information about neighboring devices. Our Sophos firewall and switches supported LLDP, which provided us with additional information showing which switch port was connected to which device.
- DHCP Reservations and Logs: We tracked which IP address was assigned to which MAC address from the DHCP servers we defined for the VLANs. If devices used static IPs, we also included this information in the inventory.
- Device Inventory and Operating System: Together with the client’s technical contact, we identified the type of each device (PC, server, PLC, CNC machine, etc.) and its operating system. This information was critical, especially for isolating OT devices. Devices with old and hard-to-patch operating systems posed a higher security risk and therefore needed to be isolated in a separate segment.
Compiling this information and organizing it into a table greatly simplified our work. For example, if a MAC address active on a switch port matched a specific IP address in the DHCP logs, and this IP address appeared in our inventory as “a PC with an old Windows XP installed,” we had a clear idea of which VLAN this device should be assigned to.
This mapping process was one of the most laborious but also most important parts of the project. Without accurate mapping, no matter how well the VLANs and firewall rules were designed, network security could not be fully achieved.
AI-Assisted Guide Generation and Results
In such comprehensive infrastructure projects, detailed documentation and step-by-step guides are of great importance. To manage the project process and ensure the client’s technical team understood the process, we prepared a guide containing implementation steps and configuration details.
Preparing documentation using traditional methods can be time-consuming. At this point, we leveraged Artificial Intelligence (AI)-assisted tools. Specifically, we sought help from AI to document the configuration steps performed through the Sophos firewall’s GUI. AI analyzed the menus, buttons, and input fields in the interface to generate a draft guide containing step-by-step instructions and screenshots (or textual descriptions).
The client’s technical person’s reaction to this was quite humorous: “AI has arrived, and the old ways are obsolete!” This joke showed that AI could indeed be useful in the field and produce tangible results. This AI-generated guide served as a checklist for us throughout the project and also allowed the client’s team to follow the process more closely.
However, we also saw that AI couldn’t do everything. Tasks requiring on-site verification, such as port mapping, analyzing physical connections, and real-time network traffic, were done with human intervention and real data. While AI excels at repetitive and documentation-based tasks, human expertise is still needed for complex decision-making and on-site verification.
As for the project’s results:
- Increased Security: With the network segmented, the risk of malware spreading significantly decreased. A critical security vulnerability was closed, especially by isolating EOL OT devices.
- Improved Manageability: Each segment having its own IP range and traffic being centrally controlled simplified network management and troubleshooting.
- Performance Improvement: Network performance generally improved with the reduction of unnecessary broadcast traffic.
- Enhanced Compliance: Segmentation marked a significant step towards compliance with industrial security standards.
This project once again demonstrated how risky flat network structures can be for modern business environments and how valuable basic network infrastructure improvements like VLAN segmentation are. The role of AI in this process revealed its potential to increase efficiency in documentation and repetitive tasks.
Lessons Learned and Future Steps
After completing this manufacturing firm project, we learned important lessons both technically and operationally. The challenges encountered in such infrastructure transformation projects and the paths to success will guide us for similar future projects.
One of the most significant lessons is that the hardest part of segmentation is not defining VLANs, but achieving accurate device-to-port mapping. Especially in OT environments, the incompleteness or ambiguity of the device inventory can complicate this process. Combining MAC addresses, LLDP data, DHCP records, and manual inventory information is the key to overcoming this challenge. The meticulousness shown during this process ensures that the network is configured securely and correctly.
Another critical lesson is regarding the management of OT devices with EOL operating systems. These devices are generally unpatchable and pose significant security risks. Instead of trying to “fix” them, isolating them (keeping them in a separate segment and applying strict security rules) is the most realistic and effective strategy. This approach enhances security and prevents disruptions to production processes.
Our lesson regarding the role of AI is quite clear: AI can indeed be useful in the field for generating vendor-specific, step-by-step guides. However, tasks requiring on-site verification, such as port mapping and sequencing, must be done with human expertise and real data. AI can speed up the process and reduce the documentation burden, but the final decision-making and critical checks still fall to humans.
From an operational perspective, we once again saw that such infrastructure transformation projects should be handled as separate projects outside the standard maintenance agreement. Clearly defining the scope, pricing correctly, and managing expectations are important for both the client and the service provider. Infrastructure improvements require separate investment beyond routine maintenance.
As for future steps, building upon this segmentation project, we can plan further steps to enhance network security. These may include more detailed configuration of Intrusion Prevention System (IPS) rules, advanced log analysis, and SIEM (Security Information and Event Management) integration. Furthermore, continuously analyzing inter-segment traffic with network monitoring solutions to detect potential anomalies is also important. This will allow us to continuously monitor the overall health and security of the network.