Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. You can think of it as the division of rooms when constructing a new house. The most important things to spend time thinking about in this case are the spacing and positioning as well as purposes.
Now, getting back to the real effort of network segregation, in most occasions when you need to segregate, you are actually dealing with the security of your network. Essentially, the main purpose of segregation is to limit the access to the network that a group of users or any particular device can have. Besides making sure that valuable information is not shared with unauthorized parties, segregation also decreases the possibility of damage done by a ransomware attack or any virus.
Why is network segregation and segmentation so important?
Segregation’s importance has been emphasized a lot during the last few years, especially considering the major data breaches that occurred recently, such as Marriot, Equifax, WannaCry and many more. But, how does network segregation stop a malware? If your initial defenses against the virus or ransomware attacks are penetrated, segregation allows you to isolate the malware and stop it before it reaches the network’s core. That way, you and your organization’s IT team will be able to control the breach to just one host, before having to manually intervene.
An attacker may try to make connections directly from an already compromised host to a more vulnerable host by utilizing sophisticated means. According to the Australian Cyber Security Centre, it is often the case that after the hacker has already breached a certain workstation, he/she tries to create a remote connection to a server, map a network resource or use legitimate network administration tools in order to access sensitive information or execute malicious codes in that server.
Therefore, a well-planned and implemented network segregation and segmentation is the key in order to help you prevent such attacks. Some ways of prevention can be configuring servers to limit the sharing of files, disallowing remote desktop connections and restricting the server’s ability to communicate with remote connections.
5 Best Practices of Network Segmentation Implementation
There are five best practices to successfully implement network segmentation and segregation, regardless of the technologies that you choose:
1. Network Layers
It is highly recommended that you apply technologies at more than just the network layer. Each host and network has to be segregated and segmented. Even the smallest host and network should be segmented at the tiniest level, as long as it’s practically manageable. This type of strategy applies mostly to the data link layer up to (and including) the application layer. However, there are cases of sensitive information when physical isolation is suitable as well. Also, it should be noted that these types of protective network measures should be centrally monitored continuously.
2. Least Privilege Principle
If a network or a service doesn’t need to communicate with another host or network, it should not be allowed to. Hence, if a particular host or network needs to “talk” to another service or network on a specific protocol and nothing else, it should be solely restricted to this. By implementing these principles in your network, you will complement the minimization of user privileges and increase the general security posture in your organization.
3. Separate Hosts and Network
Separating networks and hosts based on the criticality of the business operations in your organization is also a wise move. This includes different platforms, depending on various security classifications and security domains for specific networks or hosts. Also, consider separating management networks as well as the physical isolation of “out of band” management networks for vulnerable environments.
4. Zooming in the Authorization Process
Every user, host, and service should have access to all other users, services, and hosts. Also, the access should be restricted only to those whom it is required to perform their assigned duties and responsibilities. All those who bypass or breach the rules of authorization and authentication should be closely monitored and disabled if needed.
5. Network Traffic Whitelisting
Allow access to only legitimate network traffic which is authenticated and authorized, rather than denying access to bad traffic or blocking a specific service. This type of approach will result in an effective security policy tool for blacklisting as it will also improve your organizations’ capacity to mitigate and detect potential network breaches.
Benefits of Network Segmentation
Enhanced Security – Network traffic can be isolated and prevent communication between network segments.
Improved Access Control – Allow users to access only specific network resources.
Improved Monitoring – This allows you to detect suspicious behavior and help mitigate it.
Improved Performance – Fewer hosts per subnet means that local traffic is minimized. A local subnet can isolate broadcast traffic.
Improved Containment – If a network breach occurs, its effect is limited to the local subnet.
The main point is that the more segmented your network is:
- the harder it can be for an attacker to breach your sensitive systems;
- the more time it takes to design/manage the internal network;
- the harder it can be to ensure that users can access all of the information they require to.
In conclusion, comprehensive network segmentation is very important for organizations, especially in terms of mitigating potential attacks. A sound segmented network system will help you in spreading your network into multiple zones, and then rigorously control and enforce policy on what is allowed to move from zone to zone. It’s recommended that you have specific network segments for different purposes, and keep inter-connectivity only on a ‘need to access’ basis. If we take as an example servers in your organization that are used for financial reporting – if they are accessible from your reception’s guest Wi-Fi, or even from the general office network, it will be a complicated process to contain a data extraction situation. Hence, the consequences of this can be very harmful to your business.
About the author
Ardian Berisha is a Senior Market Intelligence and Webinar Manager at PECB. He is in charge of conducting market research while developing and providing information related to ISO standards.