Exactly this.

I realized this a few years ago, at a previous employer. We had _excellent_ security at the firewall boundary.

Inside the network gave me cause for concern. Once could plug into any port, in any building, get an IP address and ping anything on our network.

And how good was site security at a given location? Who knew, really.

When your server's security depends on J. Random Employee not allowing tail-gaters at the back door ... you got problems.

Do you remember the days of T1s and private lines? You can actually get a dry loop (a DSL line with no service, just twisted pair between two points) for $50-100/month depending on the distance between termination points. I'm not suggesting we go back to that level of network segregation though for branch offices.

The intention of my comment was to communicate that when an outside vendor needs internet access for remote access/control/etc, you provide it to them via a separate physical network. In this case, it could have been a seperate switch with a DSL or LTE connection.

PCI standards don't require a separate payments-only network, but would you put remotely accessed gear on your internal network if it was handling payments data? Target liability is estimated at ~$450 million and climbing.

>It's more practical to realize that VLAN configs should be regularly updated and tested.

I agree with this point. The reality is, it rarely happens as often as it should, if at all. If your policy isn't enforced programmatically and with checks/balances, it doesn't exist.

We agree! My point was just that, even if there are physically separate networks within the store (and who knows, that might make sense in some cases...) all of those networks will connect in some fashion to the internet, so the air gap doesn't really exist. You can eliminate some onsite vlan'ing by running more cable, but as long as Target wants to be able to administer cash registers from far away, they'll need some sort of VPN setup, and you're right back where you started.