Which technology is best for isolating multiple networks on the same physical hardware?

A.  VPN

B.  VLAN

C.  Subnetting

D.  NAT

Answer:  B

Explanation:

A. VPN (Virtual Private Network)
A VPN creates an encrypted "tunnel" over an untrusted network (like the internet).

The Goal: It provides Confidentiality and Integrity for data in transit between two points (e.g., a remote worker and the corporate office).

The Distinction: While a VPN isolates traffic from eavesdroppers, it is not used to carve up a physical switch into multiple independent networks. It is a tool for connection, not local hardware partitioning.

B. VLAN (Virtual Local Area Network)
A VLAN is a Layer 2 (Data Link Layer) technology used to partition a physical switch into multiple logical networks.

Why it's the Answer: Without a VLAN, every device plugged into a switch can "see" each other's broadcast traffic. By assigning specific ports to a VLAN (using 802.1Q tagging), you ensure that a computer on the "Finance VLAN" cannot communicate with a computer on the "Guest VLAN" at the hardware level, even though they are plugged into the same physical box.

Security Benefit: VLANs restrict the reach of sniffers and mitigate the impact of broadcast storms. To communicate between VLANs, traffic must pass through a Layer 3 device (like a router or a multilayer switch), where security policies (ACLs) can be applied.

C. Subnetting
Subnetting is a Layer 3 (Network Layer) technique used to divide a large IP address block into smaller, manageable pieces.

The Mechanism: It uses a Subnet Mask to define which part of an IP address is the network ID and which is the host ID.

The Limitation: While subnetting provides logical organization, it does not provide true isolation on its own. If two different subnets are on the same physical wire (without a VLAN), a user can simply change their IP address manually to jump between subnets. VLANs provide the physical-port-level enforcement that subnetting lacks.

D. NAT (Network Address Translation)
NAT is a method of remapping one IP address space into another while packets are in transit across a traffic routing device.

The Goal: It is primarily used to conserve IPv4 addresses by allowing an entire private network to hide behind a single public IP address.

The Distinction: NAT provides a small degree of "security by obscurity" by hiding internal IP schemes, but it does not isolate internal networks from each other on the same switch hardware.

Key Takeaway for the CISSP Exam
Segmentation Levels:

• Physical Isolation: Using separate switches and cables for different networks (Air-gapping).
• Logical Isolation (VLANs): Using a single switch but logically separating ports at Layer 2.
• Logical Organization (Subnetting): Grouping IP addresses at Layer 3.
• Note: For the highest security, the CISSP recommends combining VLANs with Firewall ACLs (Micro-segmentation).