Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Infrastructure  >  What is network segmentation
NextPrevious

What is network segmentation

Articles, Infrastructure | 7 August, 2020 | 2

Network segmentation is a powerful and essential tool in the security manager’s arsenal that improves the security of computer networks and makes them easier to manage.  Network segmentation provides protection against attackers who manage to breach the perimeter defences by limiting their ability to move laterally within the network. It can also protect key systems from accidental or malicious interference by internal users.

Network Segmentation explained

Imagine a large museum full of valuable artifacts in glass cases spread over several floors.  If a criminal breaks-in, they can move freely from room to room, go up and down the stairs and smash into every single cabinet and steal or damage every artifact.  A more secure design choice for the museum would be to put a locked door between each floor and the stairs. This way if the criminals access one floor they cannot move to another floor easily without defeating the locked door.  The security can be further improved by splitting each floor into a series of locked rooms. Now if the criminals manage to get in through an open window they find themselves in a locked room and not able to access any other rooms on the same floor let alone run riot on the other floors.

In the first example, the open plan museum is like a flat network topology – any device on the network can communicate with any other device on the network.  The museum with locked rooms and doors on the stairs is a segmented network – a compromised device or intruder can only communicate with or even detect a small number of devices which are also connected to the same small network segment – that is, in the same locked room in the museum.

Network segmentation divides the network into different zones or segments. This can be done with physically different Local Area Networks (cables) or the segmentation may be implemented by the network switches and firewalls – known as Virtual LANs or VLANs. However, VLANs can be susceptible to various attacks from a malicious or compromised host within the network as the VLAN header tags can be spoofed resulting in the ability to hop between VLANs and break the segmentation. For this reason, an internal firewall is usually needed in addition to network switches, both to create the VLAN and prevent traffic hopping between VLANs.

Principles of Segmentation

When deciding how to segment the network, consideration must be given both to the value of the systems to be protected and who needs to be able to communicate with them.

There are several approaches that can be used depending on the needs of the network, and often several of these will be used within the same network:

Zoning by Value

When Zoning by Value, the systems which are most valuable (to the business or attractive to criminals) are located on their own segment, much like the most valuable treasures being stored in the inner vault of a bank.

  • The most valuable systems (such as customer and HR databases) are placed in their own segment with restricted access.
  • The least valuable systems, such as IoT devices, smart light bulbs, are likewise placed in a separate segment with limited access to other parts of the network.
  • Other systems are grouped based on their relative value and placed in their own segments with appropriate levels of control and access. For example, internal Intranet servers are lower value and accessible to all staff, and file servers are necessarily accessible to everyone in the department.  The email servers, however, are more valuable as they contain confidential messages and are business critical, so they are in a more protected segment.
  • Systems that must be universally accessible – such as NTP servers and domain controllers can be grouped into the same value zone.

Zoning by Regulatory Scope

The cost of compliance with regulatory regimes can be reduced by containing all systems and devices within the scope of the regulation in their own isolated network segments.  PCI-DSS, for example, advocates the use of network segmentation both to improve the security of cardholder data but also to limit the scope and complexity of the compliance effort.

Zoning by Risk

Certain systems or devices inherently pose a higher security risk, usually because they are connected either to the Internet or another external network.

  • External connections such as VPN endpoints are each isolated in their own segment to ensure if the remote system is compromised it has limited access into the target network.
  • Internet facing systems, such as web application servers, are placed in their own segment and isolated from the rest of the network as far as possible.
  • Customer contact centres, that routinely open large numbers of emails from external sources, may be a higher risk for inadvertently activating a malware payload – and so their desktop systems are isolated in their own segment to prevent the spread of any infections to the rest of the network.
  • Guest WiFi networks are isolated from all internal systems and segments.

Topology of Segmentation

Unless the network is particularly simple or small, it will be a struggle to implement the required segmentation purely with physical connectivity or VLANS.  There will be some applications that need to be available for connection from the whole network (Email for example) and so internal firewalls will need to be used in order to implement more complex segmentation rules allowing certain traffic types on certain ports to flow between specific devices in the network.

If building a new network from scratch, a star (also known as spoke and hub) topology may be an effective approach with a central core firewall providing the segmentation and firewall rules to allow traffic to flow as needed around the network and each radiating spoke being its own network segment.  Any traffic that wants to flow between two different segments must go through the core firewall. This can also mitigate the risk of VLAN hopping described above.

An emerging technology that could make this easier in the near future is Software Defined Access or SDA.  Flavours of this technology are emerging from the key players in enterprise networking and all fundamentally offer the same approach of separating the ‘control plane’ of the network (where the rules live) from the ‘data plane’ (where data is transmitted and received). However, as with any new technology, the risks and weaknesses are less well understood for SDA compared with more traditional approaches.

Segmentation improves network performance

Segmentation can reduce congestion on the network which helps overall stability and allows for the protection of higher priority services and devices on the network.  For example, the performance of transactional systems is not impacted by staff watching training videos as the network traffic is contained within different segments and isolated from each other on different physical networking hardware.

With the ongoing risk of ransomware and data theft, network segmentation has never been more important; both to reduce the risk of malware worming itself quickly across the entire enterprise network and to protect the business’ most valuable data.

Advice on how to implement or improve Network Segmentation is one of the areas covered in our Internal Network Penetration Test.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security, Security operations

Related Post

  • What is PIPEDREAM malware?

    By Mark Faithfull

    Since Stuxnet was used to damage Iran’s nuclear aspiration in 2010, there has been a dawning realisation that malware is not just a threat in cyberspace – it can cause real world damage to industrialRead more

  • Why Asset Management is important for Cybersecurity

    By Mark Faithfull

    As a security manager you can only protect systems that you know about. Asset Management is the art and science of keeping track of all the devices connected to your network so that you canRead more

  • Managing Certificate Expiry

    By Mark Faithfull

    At the turn of midnight at the end of October, parts of Windows 11 suddenly stopped working. The reason why the Snipping Tool, touch keyboard and emoji panel refused to run was an expired certificate. Read more

  • What is Zero Trust Security?

    By Mark Faithfull

    Understanding the principles of Zero Trust Security will help Security and Network Managers evolve their network design to better defend against new and emerging cyber security threats and increased remote working. To understand and appreciateRead more

  • What is Cyber Supply Chain Risk Management?

    By Mark Faithfull

    Recent high-profile security incidents, such as the compromises at SolarWinds and CodeCov and the vulnerabilities in Microsoft Exchange Server, have drawn attention to the risks posed by the software we invite into the heart ofRead more

NextPrevious

Recent Posts

  • Amex and Snapchat used in Open Redirect Attacks
  • VMware Patch Critical Authentication Bypass Flaw
  • Critical Confluence Vulnerability Exploited in the Wild
  • LinkedIn the Top Phishing Brand in Q2 2022
  • Microsoft Exchange Servers Open to Backdoor Hack

Recent Comments

    Archives

    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam