+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is network segmentation

Network segmentation is a powerful and essential tool in the security manager’s arsenal that improves the security of computer networks and makes them easier to manage.  Network segmentation provides protection against attackers who manage to breach the perimeter defences by limiting their ability to move laterally within the network. It can also protect key systems from accidental or malicious interference by internal users.

Network Segmentation explained

Imagine a large museum full of valuable artifacts in glass cases spread over several floors.  If a criminal breaks-in, they can move freely from room to room, go up and down the stairs and smash into every single cabinet and steal or damage every artifact.  A more secure design choice for the museum would be to put a locked door between each floor and the stairs. This way if the criminals access one floor they cannot move to another floor easily without defeating the locked door.  The security can be further improved by splitting each floor into a series of locked rooms. Now if the criminals manage to get in through an open window they find themselves in a locked room and not able to access any other rooms on the same floor let alone run riot on the other floors.

In the first example, the open plan museum is like a flat network topology – any device on the network can communicate with any other device on the network.  The museum with locked rooms and doors on the stairs is a segmented network – a compromised device or intruder can only communicate with or even detect a small number of devices which are also connected to the same small network segment – that is, in the same locked room in the museum.

Network segmentation divides the network into different zones or segments. This can be done with physically different Local Area Networks (cables) or the segmentation may be implemented by the network switches and firewalls – known as Virtual LANs or VLANs. However, VLANs can be susceptible to various attacks from a malicious or compromised host within the network as the VLAN header tags can be spoofed resulting in the ability to hop between VLANs and break the segmentation. For this reason, an internal firewall is usually needed in addition to network switches, both to create the VLAN and prevent traffic hopping between VLANs.

Principles of Segmentation

When deciding how to segment the network, consideration must be given both to the value of the systems to be protected and who needs to be able to communicate with them.

There are several approaches that can be used depending on the needs of the network, and often several of these will be used within the same network:

Zoning by Value

When Zoning by Value, the systems which are most valuable (to the business or attractive to criminals) are located on their own segment, much like the most valuable treasures being stored in the inner vault of a bank.

  • The most valuable systems (such as customer and HR databases) are placed in their own segment with restricted access.
  • The least valuable systems, such as IoT devices, smart light bulbs, are likewise placed in a separate segment with limited access to other parts of the network.
  • Other systems are grouped based on their relative value and placed in their own segments with appropriate levels of control and access. For example, internal Intranet servers are lower value and accessible to all staff, and file servers are necessarily accessible to everyone in the department.  The email servers, however, are more valuable as they contain confidential messages and are business critical, so they are in a more protected segment.
  • Systems that must be universally accessible – such as NTP servers and domain controllers can be grouped into the same value zone.

Zoning by Regulatory Scope

The cost of compliance with regulatory regimes can be reduced by containing all systems and devices within the scope of the regulation in their own isolated network segments.  PCI-DSS, for example, advocates the use of network segmentation both to improve the security of cardholder data but also to limit the scope and complexity of the compliance effort.

Zoning by Risk

Certain systems or devices inherently pose a higher security risk, usually because they are connected either to the Internet or another external network.

  • External connections such as VPN endpoints are each isolated in their own segment to ensure if the remote system is compromised it has limited access into the target network.
  • Internet facing systems, such as web application servers, are placed in their own segment and isolated from the rest of the network as far as possible.
  • Customer contact centres, that routinely open large numbers of emails from external sources, may be a higher risk for inadvertently activating a malware payload – and so their desktop systems are isolated in their own segment to prevent the spread of any infections to the rest of the network.
  • Guest WiFi networks are isolated from all internal systems and segments.

Topology of Segmentation

Unless the network is particularly simple or small, it will be a struggle to implement the required segmentation purely with physical connectivity or VLANS.  There will be some applications that need to be available for connection from the whole network (Email for example) and so internal firewalls will need to be used in order to implement more complex segmentation rules allowing certain traffic types on certain ports to flow between specific devices in the network.

If building a new network from scratch, a star (also known as spoke and hub) topology may be an effective approach with a central core firewall providing the segmentation and firewall rules to allow traffic to flow as needed around the network and each radiating spoke being its own network segment.  Any traffic that wants to flow between two different segments must go through the core firewall. This can also mitigate the risk of VLAN hopping described above.

An emerging technology that could make this easier in the near future is Software Defined Access or SDA.  Flavours of this technology are emerging from the key players in enterprise networking and all fundamentally offer the same approach of separating the ‘control plane’ of the network (where the rules live) from the ‘data plane’ (where data is transmitted and received). However, as with any new technology, the risks and weaknesses are less well understood for SDA compared with more traditional approaches.

Segmentation improves network performance

Segmentation can reduce congestion on the network which helps overall stability and allows for the protection of higher priority services and devices on the network.  For example, the performance of transactional systems is not impacted by staff watching training videos as the network traffic is contained within different segments and isolated from each other on different physical networking hardware.

With the ongoing risk of ransomware and data theft, network segmentation has never been more important; both to reduce the risk of malware worming itself quickly across the entire enterprise network and to protect the business’ most valuable data.

Advice on how to implement or improve Network Segmentation is one of the areas covered in our Internal Network Penetration Test.

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.