What is the best way to segment several workstations?

layer 3 switch and vlans will do it

You can put secret on it's own VLAN, but they will still need access to the server(s), would probably still be in Active Directory, and you would probably want to firewall them off from the rest of the network. What are you trying to protect against?

kevinhsieh,
The reason I want to protect this group (HR) is for security reasons.

• Users searching and attempting to access HR
• If our main network is compromised w/ virus, malware, etc., decrease the probability HR will be compromised

I was wondering if I'd need to place a firewall in between the networks.

Where is the HR data located? I would expect that it would be on the server, in which case there isn't much of value on the workstations themselves.

The point above about using a firewall to segment is legitimate however, if you are worried about higher level type threats/attacks as you mention (malware, etc.) you will need to consider licensing IDS/IPS, AV/TM and maybe even DLP on the firewall as well.  Maybe anti-bot or identity management?  These are going to push you toward some type of UTM firewall with protections up to layer 7 and not just the base layer 3/4 protections.

Good point atlas, I just got so use to buying utm/ngfw firewalls that I should have been more clear.

No worries - its easy when youre doing it day in day out.

Bryant Schaper & atlas,
Yes, I would buy a UTM firewall as well.  That is the type of firewall I purchase along with all the Security licenses/subscriptions.
Currently, the HR data is on the only fileserver on site.  I do plan to move their data to a single server that will be dedicated to HR.

I firewall can't distinguish between an user in sales accessing HR data vs sales data on a file server. A firewall would at most be able to see that it was jane in sales, but not what was being accessed on the server. Protecting that is a function of the server.

Actually, DLP can add mitigation for the above scenario.  Granted, it isn't complete and only acting in one slice of the network but to say that the firewall running DLP would not be able to mitigate at all based on RBAC, etc. is incorrect.  That said, it is also not something that a device purchased at BB or WM is going to be able to accomplish.

Plus putting the servers on their own vlan does provide some flexibility as well.  While maybe you cannot control who is HR is accessing which files, you can control the protocols that talk to it, such as SMBv3 only, RDP, ect...   It would provide a barrier to protect the server from malware originating from the HR users and a USB drive.

Wow, great knowledge sharing everyone.  Thanks!!!
Would it be difficult for our Cloud Backup solution to access and back up the HR server?
HR being segmented would still have access to other network shares on the other side of the VLAN?
I was thinking of Solution 4 that Lansing Nye-Madden recommended.

Yes, HR would have access to whatever you want, the difference is that you are now monitoring the traffic and protocols in use.