Securing Your Network Through Segmentation
The concept of segmenting networks to enhance security is not new, but with the increase in cyberattacks and the scope of data breaches growing with every new disclosure, making it harder for the adversaries to succeed should be considered a priority by all organizations. While segmenting a network can be a major effort and often competing with other priorities, if properly planned and designed, it will not only help secure the infrastructure, but also simplify operations and maintenance in the long run.
What is Network Segmentation?
Segmenting a network means splitting it into smaller network segments, creating zones or enclaves and separating users, computers, applications and data based on access needs or specific security requirements.
In the past, a traditional network would be considered “flat” and all users, workstations, printers and servers would be on the same network, making it easier to “talk” to one and another and access all the system resources. However, this “trust” and ability to communicate without challenge is a dangerous vulnerability, as was demonstrated several years ago in the Target breach, where the HVAC system was compromised, and the adversary was able to move laterally across the Target network.
Traditional networks are designed with a strong perimeter to keep adversaries and attackers out. Using firewalls, Intrusion Detection System (IDS), Intrusion Prevention Systems (IPS) and other security measures allow senior management to sleep at night. However, if an attacker does manage to get through the perimeter, they would find a nice flat network and have free reign to initiate a malicious attack or worse begin exfiltrating sensitive data and information.
Network segmentation makes it harder for an attacker to move laterally throughout your network, it also secures sensitive data and information by limiting access to only those users who need that access. In addition, if a portion of the network is compromised, the damage can be contained to the smaller area.
Advantages of Network Segmentation
- Tighter Access Control – Allow users to access only specific network resources, based on their need to know.
- Improved Security – Network traffic can be isolated, limiting the type of traffic and where it can flow.
- Improved Containment – If a system is compromised, damage can be contained to the smaller area, minimizing the “blast radius”
- Improved Performance – Smaller zones or subnets help minimize traffic and contain any broadcast traffic
- Improved Monitoring and Troubleshooting – Problems can be quickly isolated and troubleshot more effectively
Segmenting a network and managing it effectively introduces a different way of thinking, however it also presents the ability to more effectively secure the critical assets, data, users and systems of an organization. If the concept of segmentation is embraced, properly designed and documented, it can be a great benefit for any organization.