Public-Access System Separation
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Divide what devices are on what network and system. Manufacturing equipment should be on its own network, so should office, guest networks, and web servers.
Example
The head of recruiting at your company wants to launch a website to post job openings and allow the public to download an application form [a]. After some discussion, your team realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the server separately from the company’s internal network and make sure the network on which it resides is isolated with the proper firewall rules [b].
References
-NIST SP 800-171r2 3.13.5
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
-ANSI/ISA-62443-3-2-2020 4.4.2
-NIST SP 800-82r3 6.2.1.1 Logical Access Controls
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
-ANSI/ISA-62443-3-2-2020 4.7.5