Network segmentation is gaining popularity as a cybersecurity defense in response to the escalation of cyber-attacks. The process of splitting your network into different subnetworks can strengthen your security defenses and even boost performance. But it’s not a task to be taken lightly. Segmenting your network is a major project and an entirely different way of managing your network.
A great deal of time and planning should go into your segmented network design. Here are some network segments that you may want to consider as part of that design.
Segmented Network Design
- External Network. This is a pretty clear segmentation – what is outside is in the public Internet and what is inside is on the private Local Area Network (LAN).
- Demilitarized Zones (DMZs). A DMZ is a subnetwork that contains and exposes an organisation's externally facing services (i.e., email and/or web servers) to the Internet. It adds a level of security because it restricts access into the internal LAN from the public Internet.
- Guest / Wireless Network. It’s commonplace for all types of organisations to provide access to the Internet for their guests, but there is no reason for this traffic to have access to your internal systems.
- IT Management Network. Isolate administrative workstations that are used to manage the network from the workstations used for non-admin work (i.e., email, Internet, Office).
- Server Networks. Keep distinct functions (i.e., human resources, marketing, finance, etc.) that have no reason to talk to each other from a technology or a functional role standpoint separated from each other.
- VoIP Networks. Phone systems can be segmented off.
- Security Networks. It’s important to protect management devices (i.e., IDS/IPS consoles, syslog servers, backup servers, etc.) from compromise, so this is a great segment to create. A typical attack will compromise security tools, so that they no longer function as expected. Backup servers are especially important with the prevalence of ransomware.
- Physical Security Systems. Segmenting off systems that are monitoring (i.e., camera systems) or allowing access (i.e., ID card scanners) is important because if a hacker can get control, they can move freely throughout your facility.
- Industrial control systems. The Target breach was successful in large part because the refrigeration systems compromised by a phishing attack on the vendor who serviced those systems remotely weren’t segmented from the POS system or the rest of Target’s internal corporate network. Segmenting industrial and/or physical plant control systems from the rest of the network is critical.
Methods of Network Segmentation
There are two basic methods for segmenting your network, physical and virtual. Physical is the most secure method, but it is also the most difficult. In this method each segment must have its own Internet connection, physical wiring, and firewall.
Virtual segmentation is far more popular and easier to implement. In this method, firewalls are shared and switches manage the virtual local area network (VLAN) environment. You can also isolate hosts from each other in a VLAN (private VLAN) or have virtualisation software designed networks (i.e., VMware). It’s worth noting, however, that VLANs are no longer accepted as a compliant segmentation methodology by the PCI-DSS (Payment Card Industry Data Security Standard).
Moving to the “Cloud” is also a type of segmentation because you’re moving selected infrastructure outside your internal LAN, and giving someone else management responsibility over it. There is typically no communication between your internal LAN and that cloud environment except through authentication in a web application or some other management application, or via dedicated VPN or physical circuit with firewalls on each side of the connection. Obviously, this is very popular right now.
While using a third-party has a lot of great benefits, it does introduce new risk factors that come with ceding control over your data and possibly critical aspects of infrastructure. That’s why you should spend more time and energy monitoring these vendors and doing your due diligence. And for many regulated industries, even if you are using a third-party, your organisation is still ultimately responsible for keeping your data secure. You can outsource functions, but never accountability or risk.
A Trust Relationship
Ultimately, a good way to think about your network is that it’s a trust relationship. If you have a flat network, you’re saying that all the machines can trust (and communicate) with each other. When segmenting your network, put careful consideration into which hosts require the ability to communicate. Segmenting doesn’t mean you can’t create routes between segments, but it does mean that planning and management efforts will be increased. If hosts don’t require the ability to communicate, then consider segmentation to protect sensitive data and functions, increase the performance of critical network services, and make it harder for attackers to navigate and achieve their goals.