The idea of network segmentation as a way to increase the security of your network is not a new one. But it’s a significant project, and with IT and security teams often juggling competing priorities, it hasn’t always been the most popular strategy. The increase in the scale and scope of cyber-attacks is starting to change that though. The truth is that it’s a great deterrent for hackers, and we’re seeing it implemented as a part of a defense-in-depth strategy more and more. Let’s take a look at what it means to segment your network and some of the advantages (and disadvantages) of taking on this project.
Why Segment your Network?
Traditional networks are designed to be “crunchy on the outside and soft on the inside.” Many organisations, especially regulated ones, have a mature firewall perimeter, and include some sort of Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to monitor traffic coming in.
However, if someone gets through that perimeter (the crunchy surface), they’ll find a flat network infrastructure (the soft insides). Because most detective tools are externally focused, and not looking at what’s going on inside, the unwelcomed guest will have free range to perpetrate an attack. A flat network infrastructure, while easy to manage, provides a great opportunity for malicious (or accidental) things to happen.
In today’s threat environment, you have to assume that you’ll be breached. Network segmentation makes it more difficult for an attacker to perpetrate an attack throughout your entire network. It’s also an obstacle for insiders because you can isolate sensitive data and systems from “curious” insiders.
From a regulations and best practice standpoint, network segmentation is starting to be more prevalent. The latest version (v. 3.2) of the Payment Card Industry (PCI) Data Security Standard requires physical segmentation of the card holder data. The Cybersecurity Assessment tools from both the FFIEC and NIST recommend network segmentation as a mature control. Eventually, we feel network segmentation will be a requirement, especially in regulated industries.
What is Network Segmentation?
When you segment a computer network, you’re splitting it into smaller network segments. You are essentially separating groups of systems or applications from each other.
In a traditional, flat network, all of your servers and workstation are on the same Local Area Network (LAN). This isn’t always necessary because in most cases these systems have no reason to talk to or “trust” each other. Letting them communicate just provides an opportunity for a hacker to pivot from one system to another or allows a piece a malware to propagate across your network.
Segmentation can be done either physically or virtually, but the result is similar. You’re limiting communication throughout your network, thereby limiting the attack options available. If an attacker can’t see it, they can’t attack it.
Advantages of Network Segmentation
- Improved Security. Network traffic can be isolated and / or filtered to limit and / or prevent access between network segments.
- Better Access Control. Allow users to only access specific network resources.
- Improved Monitoring. Provides an opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior.
- Improved Performance. With fewer hosts per subnet, local traffic is minimised. Broadcast traffic can be isolated to the local subnet.
- Better Containment. When a network issue occurs, its effect is limited to the local subnet.
As with any security control, it’s important to try to balance the strategy of the business with the need to secure it. Segmenting your network is a major project and an entirely different way of managing your network. You are going from a flat network infrastructure – where communications are wide open and there are no problems communicating with hosts and services in an internal situation – to a network that requires firewall rule sets, routing and switching, etc., just like your perimeter infrastructure. It takes careful planning to achieve the desired result, which is a network that is difficult for attackers, but still manageable for you.
Keep in mind that the more isolated / segmented your network is:
- The harder it can be for an attacker to compromise your sensitive systems / data.
- The more time it takes to design / manage the internal network.
- The harder it can be to ensure users can access all of the information they require access to.
Design is what IT engineers do. If you allow them the time to design, do the proper planning, and have mature change control, the process can go very well and be a great benefit for your organisation.
The bottom-line is that people continue to be the weakest link in your security. Verizon’s latest Data Breach Investigations Report, found that two-thirds of malware-related data breaches occurred because of malicious email attachments. No surprise, since perimeter defenses are so good, this is the easiest way for attackers to get in. Network segmentation provides you with insight into what’s going on in your internal network, giving you another layer of defense to stop the bad guys.