Network segmentation or compartmentalization, and layered protection are two strategies that are critical in building a secure network. In the literature, layered protection has been formalized and termed as the Defence in Depth (DD) strategy. However, network segmentation has been described vaguely, and without any formal approach, thus making the secure design of large networks unwieldy. In this paper, we formally define network segmentation using a formalism based on product family algebra and guarded commands. Then we propose two algorithms that take a set of resources and their access control policies as input and output a robust network topology and the policies of its firewalls. The firewall policies are computed based on the network segmentation formalism and are strategically placed in the network to achieve DD. Further, we use the proposed algorithms to build Software Defined Networks (SDN) and discuss its use in dynamic networks and Internet of Things.

网络分段或隔离以及分层保护是构建安全网络至关重要的两种策略。在文献中，分层保护已被形式化并称为深度防御（DD）策略。但是，网络分段已经被模糊地描述，并且没有任何正式的方法，因此使得大型网络的安全设计变得笨拙。在本文中，我们使用基于产品族代数和受保护命令的形式化形式正式定义网络分段。然后，我们提出了两种算法，它们以一组资源及其访问控制策略作为输入，并输出一个健壮的网络拓扑及其防火墙策略。防火墙策略是基于网络分段形式来计算的，并且在策略上放置在网络中以实现DD。进一步，