Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Infrastructure  >  What is network segmentation
NextPrevious

What is network segmentation

Articles, Infrastructure | 7 August, 2020 | 1

Network segmentation is a powerful and essential tool in the security manager’s arsenal that improves the security of computer networks and makes them easier to manage.  Network segmentation provides protection against attackers who manage to breach the perimeter defences by limiting their ability to move laterally within the network. It can also protect key systems from accidental or malicious interference by internal users.

Network Segmentation explained

Imagine a large museum full of valuable artifacts in glass cases spread over several floors.  If a criminal breaks-in, they can move freely from room to room, go up and down the stairs and smash into every single cabinet and steal or damage every artifact.  A more secure design choice for the museum would be to put a locked door between each floor and the stairs. This way if the criminals access one floor they cannot move to another floor easily without defeating the locked door.  The security can be further improved by splitting each floor into a series of locked rooms. Now if the criminals manage to get in through an open window they find themselves in a locked room and not able to access any other rooms on the same floor let alone run riot on the other floors.

In the first example, the open plan museum is like a flat network topology – any device on the network can communicate with any other device on the network.  The museum with locked rooms and doors on the stairs is a segmented network – a compromised device or intruder can only communicate with or even detect a small number of devices which are also connected to the same small network segment – that is, in the same locked room in the museum.

Network segmentation divides the network into different zones or segments. This can be done with physically different Local Area Networks (cables) or the segmentation may be implemented by the network switches and firewalls – known as Virtual LANs or VLANs. However, VLANs can be susceptible to various attacks from a malicious or compromised host within the network as the VLAN header tags can be spoofed resulting in the ability to hop between VLANs and break the segmentation. For this reason, an internal firewall is usually needed in addition to network switches, both to create the VLAN and prevent traffic hopping between VLANs.

Principles of Segmentation

When deciding how to segment the network, consideration must be given both to the value of the systems to be protected and who needs to be able to communicate with them.

There are several approaches that can be used depending on the needs of the network, and often several of these will be used within the same network:

Zoning by Value

When Zoning by Value, the systems which are most valuable (to the business or attractive to criminals) are located on their own segment, much like the most valuable treasures being stored in the inner vault of a bank.

  • The most valuable systems (such as customer and HR databases) are placed in their own segment with restricted access.
  • The least valuable systems, such as IoT devices, smart light bulbs, are likewise placed in a separate segment with limited access to other parts of the network.
  • Other systems are grouped based on their relative value and placed in their own segments with appropriate levels of control and access. For example, internal Intranet servers are lower value and accessible to all staff, and file servers are necessarily accessible to everyone in the department.  The email servers, however, are more valuable as they contain confidential messages and are business critical, so they are in a more protected segment.
  • Systems that must be universally accessible – such as NTP servers and domain controllers can be grouped into the same value zone.

Zoning by Regulatory Scope

The cost of compliance with regulatory regimes can be reduced by containing all systems and devices within the scope of the regulation in their own isolated network segments.  PCI-DSS, for example, advocates the use of network segmentation both to improve the security of cardholder data but also to limit the scope and complexity of the compliance effort.

Zoning by Risk

Certain systems or devices inherently pose a higher security risk, usually because they are connected either to the Internet or another external network.

  • External connections such as VPN endpoints are each isolated in their own segment to ensure if the remote system is compromised it has limited access into the target network.
  • Internet facing systems, such as web application servers, are placed in their own segment and isolated from the rest of the network as far as possible.
  • Customer contact centres, that routinely open large numbers of emails from external sources, may be a higher risk for inadvertently activating a malware payload – and so their desktop systems are isolated in their own segment to prevent the spread of any infections to the rest of the network.
  • Guest WiFi networks are isolated from all internal systems and segments.

Topology of Segmentation

Unless the network is particularly simple or small, it will be a struggle to implement the required segmentation purely with physical connectivity or VLANS.  There will be some applications that need to be available for connection from the whole network (Email for example) and so internal firewalls will need to be used in order to implement more complex segmentation rules allowing certain traffic types on certain ports to flow between specific devices in the network.

If building a new network from scratch, a star (also known as spoke and hub) topology may be an effective approach with a central core firewall providing the segmentation and firewall rules to allow traffic to flow as needed around the network and each radiating spoke being its own network segment.  Any traffic that wants to flow between two different segments must go through the core firewall. This can also mitigate the risk of VLAN hopping described above.

An emerging technology that could make this easier in the near future is Software Defined Access or SDA.  Flavours of this technology are emerging from the key players in enterprise networking and all fundamentally offer the same approach of separating the ‘control plane’ of the network (where the rules live) from the ‘data plane’ (where data is transmitted and received). However, as with any new technology, the risks and weaknesses are less well understood for SDA compared with more traditional approaches.

Segmentation improves network performance

Segmentation can reduce congestion on the network which helps overall stability and allows for the protection of higher priority services and devices on the network.  For example, the performance of transactional systems is not impacted by staff watching training videos as the network traffic is contained within different segments and isolated from each other on different physical networking hardware.

With the ongoing risk of ransomware and data theft, network segmentation has never been more important; both to reduce the risk of malware worming itself quickly across the entire enterprise network and to protect the business’ most valuable data.

Advice on how to implement or improve Network Segmentation is one of the areas covered in our Internal Network Penetration Test.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security, Security operations

Related Post

  • What is a Next Generation Firewall?

    By Mark Faithfull

    What is a Next Generation Firewall and how can it help keep your network secure? The phrase ‘next generation firewall’ is increasingly being used by security vendors to describe their network security products. However, theRead more

  • GDPR Fines continue to grow

    By Mark Faithfull

    Daily GDPR breach notifications are up 20% and fines are up 39% according to a new report. Law firm DLA Piper has published their third annual GDPR Fines and Data Breech Survey which reveals theRead more

  • CISA Warns of Pass-the-Cookie attack

    By Mark Faithfull

    The American CISA has warned they have detected ongoing attacks against several organisations cloud services. The alert from CISA states that: The Cybersecurity and Infrastructure Security Agency (CISA) is aware of several recent successful cyberattacksRead more

  • Microsoft Patches Critical Bugs

    By Mark Faithfull

    Microsoft starts the year with their first patch Tuesday bundle of security fixes targeting 10 Critical vulnerabilities include a zero-day being exploited in Windows Defender. The Windows Defender vulnerability (CVE-2021-1647) is reported by Microsoft asRead more

  • Flash is dead – now delete it from your system

    By Mark Faithfull

    Three years after the initial warning, Adobe has officially killed off Flash software. In recent years Flash had developed a reputation for being a security risk on many systems due the high number of vulnerabilitiesRead more

NextPrevious

Recent Posts

  • Apple patches critical iOS vulnerabilities
  • Critical SUDO vulnerability discovered
  • GDPR Fines continue to grow
  • NetLogon Security Changes coming in February
  • CISA Warns of Pass-the-Cookie attack

Tags

Android Apple blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DNS Ethereum Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft ncsc patching penetration testing phishing ransomware RDP security breach Security operations security testing SIEM Spectre supply chain attacks Sysinternals Tomcat TPM Unix vulnerability management web applications web browsers wireless

Archives

  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam
SecureTeam use cookies on this website to ensure that we give you the best experience possible. If you continue to use our site we will assume that you are happy with cookies being used.OkRead more