Network segmentation is a powerful and essential tool in the security manager’s arsenal that improves the security of computer networks and makes them easier to manage. Network segmentation provides protection against attackers who manage to breach the perimeter defences by limiting their ability to move laterally within the network. It can also protect key systems from accidental or malicious interference by internal users.
Network Segmentation explained
Imagine a large museum full of valuable artifacts in glass cases spread over several floors. If a criminal breaks-in, they can move freely from room to room, go up and down the stairs and smash into every single cabinet and steal or damage every artifact. A more secure design choice for the museum would be to put a locked door between each floor and the stairs. This way if the criminals access one floor they cannot move to another floor easily without defeating the locked door. The security can be further improved by splitting each floor into a series of locked rooms. Now if the criminals manage to get in through an open window they find themselves in a locked room and not able to access any other rooms on the same floor let alone run riot on the other floors.
In the first example, the open plan museum is like a flat network topology – any device on the network can communicate with any other device on the network. The museum with locked rooms and doors on the stairs is a segmented network – a compromised device or intruder can only communicate with or even detect a small number of devices which are also connected to the same small network segment – that is, in the same locked room in the museum.
Network segmentation divides the network into different zones or segments. This can be done with physically different Local Area Networks (cables) or the segmentation may be implemented by the network switches and firewalls – known as Virtual LANs or VLANs. However, VLANs can be susceptible to various attacks from a malicious or compromised host within the network as the VLAN header tags can be spoofed resulting in the ability to hop between VLANs and break the segmentation. For this reason, an internal firewall is usually needed in addition to network switches, both to create the VLAN and prevent traffic hopping between VLANs.
Principles of Segmentation
When deciding how to segment the network, consideration must be given both to the value of the systems to be protected and who needs to be able to communicate with them.
There are several approaches that can be used depending on the needs of the network, and often several of these will be used within the same network:
Zoning by Value
When Zoning by Value, the systems which are most valuable (to the business or attractive to criminals) are located on their own segment, much like the most valuable treasures being stored in the inner vault of a bank.
- The most valuable systems (such as customer and HR databases) are placed in their own segment with restricted access.
- The least valuable systems, such as IoT devices, smart light bulbs, are likewise placed in a separate segment with limited access to other parts of the network.
- Other systems are grouped based on their relative value and placed in their own segments with appropriate levels of control and access. For example, internal Intranet servers are lower value and accessible to all staff, and file servers are necessarily accessible to everyone in the department. The email servers, however, are more valuable as they contain confidential messages and are business critical, so they are in a more protected segment.
- Systems that must be universally accessible – such as NTP servers and domain controllers can be grouped into the same value zone.
Zoning by Regulatory Scope
The cost of compliance with regulatory regimes can be reduced by containing all systems and devices within the scope of the regulation in their own isolated network segments. PCI-DSS, for example, advocates the use of network segmentation both to improve the security of cardholder data but also to limit the scope and complexity of the compliance effort.
Zoning by Risk
Certain systems or devices inherently pose a higher security risk, usually because they are connected either to the Internet or another external network.
- External connections such as VPN endpoints are each isolated in their own segment to ensure if the remote system is compromised it has limited access into the target network.
- Internet facing systems, such as web application servers, are placed in their own segment and isolated from the rest of the network as far as possible.
- Customer contact centres, that routinely open large numbers of emails from external sources, may be a higher risk for inadvertently activating a malware payload – and so their desktop systems are isolated in their own segment to prevent the spread of any infections to the rest of the network.
- Guest WiFi networks are isolated from all internal systems and segments.
Topology of Segmentation
Unless the network is particularly simple or small, it will be a struggle to implement the required segmentation purely with physical connectivity or VLANS. There will be some applications that need to be available for connection from the whole network (Email for example) and so internal firewalls will need to be used in order to implement more complex segmentation rules allowing certain traffic types on certain ports to flow between specific devices in the network.
If building a new network from scratch, a star (also known as spoke and hub) topology may be an effective approach with a central core firewall providing the segmentation and firewall rules to allow traffic to flow as needed around the network and each radiating spoke being its own network segment. Any traffic that wants to flow between two different segments must go through the core firewall. This can also mitigate the risk of VLAN hopping described above.
An emerging technology that could make this easier in the near future is Software Defined Access or SDA. Flavours of this technology are emerging from the key players in enterprise networking and all fundamentally offer the same approach of separating the ‘control plane’ of the network (where the rules live) from the ‘data plane’ (where data is transmitted and received). However, as with any new technology, the risks and weaknesses are less well understood for SDA compared with more traditional approaches.
Segmentation improves network performance
Segmentation can reduce congestion on the network which helps overall stability and allows for the protection of higher priority services and devices on the network. For example, the performance of transactional systems is not impacted by staff watching training videos as the network traffic is contained within different segments and isolated from each other on different physical networking hardware.
With the ongoing risk of ransomware and data theft, network segmentation has never been more important; both to reduce the risk of malware worming itself quickly across the entire enterprise network and to protect the business’ most valuable data.
Advice on how to implement or improve Network Segmentation is one of the areas covered in our Internal Network Penetration Test.