🚢 Implementing the 3-Zone Network Segmentation Model
The 3-Zone Network Segmentation Model is a robust architecture designed to protect a vessel’s most critical systems by establishing clear, firewalled boundaries between different levels of trust. This model is ideal for retrofitting existing ships, using a central firewall as the gatekeeper.
The three zones are:
- Operational Technology (OT) Zone: Critical systems (Engine Control, Navigation, Safety). Highest Security.
- Corporate/IT Zone: Business-related systems (Administrative PCs, Servers, ECDIS updates). Medium Security.
- Untrusted Zone: Unsecured/Public systems (Crew/Guest Wi-Fi, Internet access devices). Lowest Security.
Step 1: Define and Isolate Zones using VLANs
The first step is to logically separate the network into the three zones using VLANs (Virtual Local Area Networks) on your existing Layer 2 or Layer 3 switches.
| Zone Name | Example VLAN ID | IP Subnet Range | Security Posture |
| 1. OT Zone | 10 | 192.168.10.0/24 | Default Deny. No internet access. |
| 2. IT Zone | 20 | 192.168.20.0/24 | Controlled Access. Limited internet access. |
| 3. Untrusted Zone | 30 | 192.168.30.0/24 | Open. Heavily monitored. |
Configuration Tasks:
- VLAN Creation: Create the three VLANs on your core switch(es).
- Port Assignment: Set all physical switch ports connected to OT equipment to access port VLAN 10. Do the same for IT devices (VLAN 20) and Wi-Fi access points (VLAN 30).
- Router-on-a-Stick (for Switches): The interfaces on the Layer 3 switch that connect to the Central Firewall must be configured as Trunk Ports. These ports carry traffic for all three VLANs, directing it to the Firewall, which will handle all routing and security policies.
Step 2: Configure the Firewall as the Zone Enforcer
The central security device (the Firewall) must be configured with a separate physical interface for each of the three zones. The firewall becomes the single point of control for all traffic moving between the zones.
| Firewall Interface | VLAN Tag | Subnet Gateway Address | Connected Zone |
| Port 1 (OT) | 10 | 192.168.10.1 | OT Zone |
| Port 2 (IT) | 20 | 192.168.20.1 | IT Zone |
| Port 3 (Untrusted) | 30 | 192.168.30.1 | Untrusted Zone |
| Port 4 (WAN/Uplink) | N/A | (Public IP) | Satellite/Shore Link |
Firewall Configuration Steps (Conceptual):
- Interface Configuration: Assign the appropriate IP addresses (the subnet gateways) and VLAN tags to the corresponding firewall interfaces.
- Default Gateway: Ensure all devices within VLAN 10, 20, and 30 are configured to use the Firewall’s interface IP (e.g.,
192.168.10.1) as their default gateway. - Disable Direct Routing: Crucially, disable or remove any existing inter-VLAN routing (SVIs/ACLs) on your Layer 3 switch that would bypass the firewall. The firewall must be the only device that can route traffic between zones.
Step 3: Establish Firewall Policies (ACLs)
Once the firewall is the sole router between segments, you use its policy engine (equivalent to advanced ACLs) to enforce a “Deny All” posture and only allow explicitly required traffic.
The policy set is built on the principle that the most trusted zone (OT) should never be exposed to the least trusted zone (Untrusted), and communication should only flow from a higher-trust zone to a lower-trust zone if necessary, but never vice versa.
| Policy Rule (ACL) | Source Zone | Destination Zone | Service/Port | Action | Rationale |
| Rule 1: OT Isolation | IT, Untrusted | OT | ANY | DENY | Prevents lateral movement from admin or guest networks to critical systems. (Highest Priority Rule) |
| Rule 2: Admin Access | IT | OT | SSH/RDP (Specific IPs) | PERMIT | Allows authorized maintenance access, but only to specific ports and management jump-hosts. |
| Rule 3: Internet Access | OT | WAN/Uplink | ANY | DENY | OT systems must be air-gapped from the internet. |
| Rule 4: Web/Email | IT | WAN/Uplink | HTTP/S, SMTP/POP3 | PERMIT | Allows crew internet access for business/administrative purposes. |
| Rule 5: Guest Traffic | Untrusted | WAN/Uplink | ANY | PERMIT | Allows crew/guest internet access, but is heavily rate-limited and monitored. |
| Rule 6: Default Block | ANY | ANY | ANY | DENY | The final, explicit rule to block all un-defined traffic. |
The Air Gap Concept
In this 3-Zone model, the firewall creates a logical air gap between the OT Zone and the rest of the ship. Any communication between the IT Zone and the OT Zone must be meticulously planned and only allowed for specific, documented purposes (Rule 2). The Untrusted Zone (30) has absolutely no path to the OT Zone (10), ensuring guest devices or compromised crew phones cannot reach the vessel’s vital controls.
The implementation of these ACLs is crucial, especially when factoring in secure remote access for OT systems, which we cover in detail in another post.
