Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Vulnerability Assessment
    • Web Application Penetration Test
    • Configuration Review
      • Windows Build Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials Certification
  • News
  • Articles
  • About
    • About SecureTeam
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
    • White-Label Consultancy
    • Jobs
  • Contact Us

Articles

Home  >  Articles  >  Infrastructure  >  What is network segmentation
NextPrevious

What is network segmentation

Articles, Infrastructure | 7 August, 2020 | 0

Network segmentation is a powerful and essential tool in the security manager’s arsenal that improves the security of computer networks and makes them easier to manage.  Network segmentation provides protection against attackers who manage to breach the perimeter defences by limiting their ability to move laterally within the network. It can also protect key systems from accidental or malicious interference by internal users.

Network Segmentation explained

Imagine a large museum full of valuable artifacts in glass cases spread over several floors.  If a criminal breaks-in, they can move freely from room to room, go up and down the stairs and smash into every single cabinet and steal or damage every artifact.  A more secure design choice for the museum would be to put a locked door between each floor and the stairs. This way if the criminals access one floor they cannot move to another floor easily without defeating the locked door.  The security can be further improved by splitting each floor into a series of locked rooms. Now if the criminals manage to get in through an open window they find themselves in a locked room and not able to access any other rooms on the same floor let alone run riot on the other floors.

In the first example, the open plan museum is like a flat network topology – any device on the network can communicate with any other device on the network.  The museum with locked rooms and doors on the stairs is a segmented network – a compromised device or intruder can only communicate with or even detect a small number of devices which are also connected to the same small network segment – that is, in the same locked room in the museum.

Network segmentation divides the network into different zones or segments. This can be done with physically different Local Area Networks (cables) or the segmentation may be implemented by the network switches and firewalls – known as Virtual LANs or VLANs. However, VLANs can be susceptible to various attacks from a malicious or compromised host within the network as the VLAN header tags can be spoofed resulting in the ability to hop between VLANs and break the segmentation. For this reason, an internal firewall is usually needed in addition to network switches, both to create the VLAN and prevent traffic hopping between VLANs.

Principles of Segmentation

When deciding how to segment the network, consideration must be given both to the value of the systems to be protected and who needs to be able to communicate with them.

There are several approaches that can be used depending on the needs of the network, and often several of these will be used within the same network:

Zoning by Value

When Zoning by Value, the systems which are most valuable (to the business or attractive to criminals) are located on their own segment, much like the most valuable treasures being stored in the inner vault of a bank.

  • The most valuable systems (such as customer and HR databases) are placed in their own segment with restricted access.
  • The least valuable systems, such as IoT devices, smart light bulbs, are likewise placed in a separate segment with limited access to other parts of the network.
  • Other systems are grouped based on their relative value and placed in their own segments with appropriate levels of control and access. For example, internal Intranet servers are lower value and accessible to all staff, and file servers are necessarily accessible to everyone in the department.  The email servers, however, are more valuable as they contain confidential messages and are business critical, so they are in a more protected segment.
  • Systems that must be universally accessible – such as NTP servers and domain controllers can be grouped into the same value zone.

Zoning by Regulatory Scope

The cost of compliance with regulatory regimes can be reduced by containing all systems and devices within the scope of the regulation in their own isolated network segments.  PCI-DSS, for example, advocates the use of network segmentation both to improve the security of cardholder data but also to limit the scope and complexity of the compliance effort.

Zoning by Risk

Certain systems or devices inherently pose a higher security risk, usually because they are connected either to the Internet or another external network.

  • External connections such as VPN endpoints are each isolated in their own segment to ensure if the remote system is compromised it has limited access into the target network.
  • Internet facing systems, such as web application servers, are placed in their own segment and isolated from the rest of the network as far as possible.
  • Customer contact centres, that routinely open large numbers of emails from external sources, may be a higher risk for inadvertently activating a malware payload – and so their desktop systems are isolated in their own segment to prevent the spread of any infections to the rest of the network.
  • Guest WiFi networks are isolated from all internal systems and segments.

Topology of Segmentation

Unless the network is particularly simple or small, it will be a struggle to implement the required segmentation purely with physical connectivity or VLANS.  There will be some applications that need to be available for connection from the whole network (Email for example) and so internal firewalls will need to be used in order to implement more complex segmentation rules allowing certain traffic types on certain ports to flow between specific devices in the network.

If building a new network from scratch, a star (also known as spoke and hub) topology may be an effective approach with a central core firewall providing the segmentation and firewall rules to allow traffic to flow as needed around the network and each radiating spoke being its own network segment.  Any traffic that wants to flow between two different segments must go through the core firewall. This can also mitigate the risk of VLAN hopping described above.

An emerging technology that could make this easier in the near future is Software Defined Access or SDA.  Flavours of this technology are emerging from the key players in enterprise networking and all fundamentally offer the same approach of separating the ‘control plane’ of the network (where the rules live) from the ‘data plane’ (where data is transmitted and received). However, as with any new technology, the risks and weaknesses are less well understood for SDA compared with more traditional approaches.

Segmentation improves network performance

Segmentation can reduce congestion on the network which helps overall stability and allows for the protection of higher priority services and devices on the network.  For example, the performance of transactional systems is not impacted by staff watching training videos as the network traffic is contained within different segments and isolated from each other on different physical networking hardware.

With the ongoing risk of ransomware and data theft, network segmentation has never been more important; both to reduce the risk of malware worming itself quickly across the entire enterprise network and to protect the business’ most valuable data.

Advice on how to implement or improve Network Segmentation is one of the areas covered in our Internal Network Penetration Test.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security, Security operations

Related Post

  • What is a Next Generation Firewall?

    By Mark Faithfull

    What is a Next Generation Firewall and how can it help keep your network secure? The phrase ‘next generation firewall’ is increasingly being used by security vendors to describe their network security products. However, theRead more

  • RDP Based Attacks Increase During Lockdown

    By Mark Faithfull

    The number of ransomware attacks using RDP as the attack vector has increased sharply during the COVID lockdown. As the number of staff working remotely exploded during the COVID lockdown, criminals were quick to respondRead more

  • What is HTML smuggling?

    By Mark Faithfull

    HTML smuggling is a technique for bypassing perimeter security devices by generating malicious HTML behind the firewall – within the browser on the target endpoint. HTML Smuggling techniques sidestep traditional network security solutions such asRead more

  • Derek attacks QNAP NAS Devices

    By Mark Faithfull

    The UK National Cyber Security Centre and CISA in the USA have issued a joint alert detailing the risk posed by the Qsnatch/Derek malware which attacks QNAP NAS devices. The National Cyber Security Centre statesRead more

  • What is the Tsunami security scanner?

    By Mark Faithfull

    Tsunami is a security vulnerability scanner designed for very large networks – originally created by Google for scanning their own huge network. Google has now released Tsunami as an open source project – it isRead more

NextPrevious

Recent Posts

  • How Return-Oriented Programming exploits work
  • NCSC Publishes Vulnerability Disclosure Toolkit
  • September patch Tuesday fixes 23 Critical Microsoft Vulnerabilities
  • The most dangerous vulnerabilities of 2020
  • Pass-the-hash attack discovered in Windows Themes

Tags

Android blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DNS Ethereum Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft patching penetration testing phishing ransomware RDP Row Hammer security breach Security operations security testing SIEM Spectre supply chain attacks Sysinternals Tomcat TPM UK Law VNC vulnerability management web applications web browsers wireless

Archives

  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Vulnerability Assessment
    • Web Application Penetration Test
    • Configuration Review
      • Windows Build Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials Certification
  • News
  • Articles
  • About
    • About SecureTeam
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
    • White-Label Consultancy
    • Jobs
  • Contact Us
SecureTeam
SecureTeam use cookies on this website to ensure that we give you the best experience possible. If you continue to use our site we will assume that you are happy with cookies being used.OkRead more