The narrowin Segmentation Toolbox is a browser-based planning environment for network segmentation. It includes tools for zone planning, VLAN design, communication matrix, IPAM, operating model and roadmap. No installation required, all data stored locally in the browser.
Network segmentation is one of the most effective measures for OT and IT security. But planning is complex: defining zones, assigning VLANs, documenting communication relationships, deriving firewall rules, while simultaneously developing an operating model, responsibilities and a realistic implementation roadmap. Often this is done in Excel or Visio – tools that were not designed for this purpose.
The toolbox covers the entire planning process: from technical network design to the organizational operating model and implementation roadmap.
Technical planning: zones, VLANs, subnets, communication relationships and firewall ruleset.
From analysis to implementation: timeline, prioritization and work packages structured planning.
Zone planning, communication matrix, roadmap, operating model. Click through and explore.
Security Zones: Structure network zones per IEC 62443 and Purdue Model
Communication Matrix: Define zone-to-zone access and export as firewall ruleset
Roadmap Planner: Prioritize work packages and plan timeline across quarters
Organisation Planner: Define operating model, roles and responsibilities
Simplified example with 8 Purdue zones. In the toolbox you can define any number of zones, rules and protocols. Click a cell for details, or hover over a zone name for associated VLANs.
| L0 Process | L1 Control | L2 Supervisory | L3 Site Ops | DMZ | L4 Campus | L5 Data Center | MGMT |
|---|
Runs entirely in the browser. No installation, no server, no account required.
All data stays in the browser (localStorage). Nothing is sent to a server.
Purdue Model, Enterprise Campus, Hospital IT/OT and other industry-specific templates.
Export zones, VLANs and matrix as JSON, PDF or structured report.
Import firewall configurations and automatically analyze rulesets.
Fully bilingual. Switch language at any time, data is preserved.
Most segmentation projects don't start on a greenfield. They start in networks with legacy VLANs, undocumented communication paths, and inherited firewall rules. The Toolbox is built for exactly that: not as a greenfield designer, but as a planning tool that takes the existing environment seriously.
Config import reads existing firewall rules, interfaces, and zones. The VLAN Planner documents the current structure. Explorer data adds topology and port context.
Security Zones map segments to Purdue levels. The communication matrix defines allowed transitions. IPAM and operating model give the target architecture structure.
The Roadmap Planner translates the target into waves with maintenance windows, responsibilities, and dependencies – no big bang, but controlled packages.
See what a configuration analysis looks like in practice on the Firewall Rule Cleanup project page.
Template «Network Security & Resilience» with 34 work packages in 8 categories, fully editable in the toolbox. Here is an excerpt.
The complete Segmentation Toolbox with all planning, operations and roadmap tools. Browser-based, login required.
Get in touch → Open Toolbox (Login) → Segmentation as a Service →Available without login
Try three tools directly in the browser, no registration required:
VLAN Planner · Subnet Calculator · Communication MatrixNetwork segmentation is often treated as a pure infrastructure project: create VLANs, write firewall rules, done. In practice, segmentation projects rarely fail due to technology. The biggest hurdles are organizational: Who defines the zones? Who approves communication relationships? What happens when a new device joins the network? Without clear responsibilities, processes and an operating model, segmentation remains a one-time project that becomes outdated within a few months.
IT and OT have fundamentally different priorities: IT optimizes for confidentiality (CIA), OT for availability (AIC). When both worlds coexist on the same network, different patch cycles, responsibilities and risk appetites collide. Convergence therefore requires not only a technical zone model, but a shared governance framework with aligned processes for change management, incident response and asset ownership across organizational boundaries.
A complete segmentation concept typically comprises 30+ work packages over multiple quarters: from network documentation through zone design and firewall cleanup to NAC, monitoring and compliance. A realistic plan prioritizes by risk and effort (quick wins first), defines clear phases and tracks progress per category, not just per quarter. That is exactly what we built the Roadmap Planner in the toolbox for.
Yes. Segmentation is not a state, but an ongoing process. New devices, changed communication requirements, firmware updates – all of this requires regular review and adjustment of zones, VLANs and firewall rules. Without defined roles (who may change rules?), processes (how is a new VLAN requested?) and a RACI matrix, segmentation gets bypassed or ignored in day-to-day operations. That is why the toolbox includes a dedicated operating model section.
The zone model defines what is separated (e.g. Purdue levels, DMZ, management). The communication matrix defines which zones may communicate with each other and with what restrictions. From this, concrete firewall rules are derived: protocols, ports, direction. These three layers should be planned consistently, not in isolation. In the toolbox they are linked: zone changes automatically update the matrix, and the matrix can be exported as a firewall ruleset.
Brownfield is the norm. Most networks have organically grown VLAN structures, undocumented communication relationships and legacy firewall rules. The first step is an as-is assessment: Which VLANs exist? Which devices communicate where? Which rules are still active and relevant? The toolbox supports this entry point with Config Import (import firewall rulesets) and the VLAN Planner (document existing structure and gradually transition it into a zone model).
