Network Segmentation
A Key Layer of Your Organization’s Defense
What Is Network Segmentation?
“Network segmentation” refers to the logical, and sometimes physical, separation of IT assets and resources – such as data, applications, servers, and users. Properly isolating a flat network into segments significantly reduces the size of the attack surface by limiting the IT assets that are accessible from each segment. The resources connected to a network segment, regardless of their nature – physical, virtual, or human – are prevented from interacting with (or even being “seen” by) resources on other network segments. At its most fundamental level, network segmentation creates and maintains logically grouped subsets of resources that are isolated from all other implicitly untrusted groups; even when those other groups are part of the same business organization.
Why is Network Segmentation Important?
It Safeguards Your Assets and Helps Maintain Confidentiality of Data
Emerging information about recent security breaches illustrates the critical role network segmentation has in protecting an organization’s IT assets. Network segmentation allows you to isolate and apply segment-specific network access policies and restrictions to your various applications, systems, medical devices, and users. For example, this could include PCI/CDE (credit card) information, CUI/ITAR data (Department of Defense-related materials), ePHI (electronic medical health records), or even internal company finances and HR records. Network segmentation enables organizations to apply more granular controls to specific data classifications in order to limit potential exposure and reduce risk. The ultimate goal of network segmentation is to protect your most sensitive data from unauthorized access or disclosure.
The benefits of network segmentation are clear:
- By limiting the scope of potential attacks on the corporate network, organizations can dramatically reduce their risk exposure by developing a network segmentation policy.
- Implementing network segmentation can also help to improve network performance and reliability by isolating resource-intensive applications and services from those that are less critical.
- Organizations can more easily manage compliance-related data-access controls by placing different types of data on isolated segments.
- Network segmentation can also help to improve security visibility and incident response times by isolating compromised systems from the rest of the network.
- Finally, properly implemented network segmentation can be a powerful tool for containing data breaches within specific areas of the network, limiting the possibility of data exposure.
The Risks of a Flat Networks
In environments where network segmentation is not practiced, the organization’s entire network is the potential attack surface. In a “flat network”, an individual with malicious intent needs only compromise a single device on the network. That device becomes a launchpad from which the entire network can be attacked. Once inside, the attacker can “see” and access all other network-attached devices. On a segmented network, only the devices, services, applications, data, or users on a particular segment are accessible to authorized, or in the case of a breach, unauthorized users.
Understanding Segmentation
The use of firewalls, routers, and switches to logically separate a network into segments is the most common form of network segmentation. Each device on a network can be assigned to one or more segments, depending on its function and role in the organization. For example, servers might be grouped into one segment, while user workstations are another based on the data hosted on that server and the user’s need-to-know status.
With proper network segmentation in place, an attacker cannot access resources across the network in an uninhibited manner, this being due to the restrictive access control lists and other policies limiting or preventing interaction between segments. Within a properly segmented and controlled network, should a malicious actor breach a DMZ (public-facing) server, they would be unable to access sensitive data and systems that are isolated within the most protected segments without having to breach multiple other devices in their path. Those sensitive IT assets would remain protected behind additional layers of firewalls and security. Ultimately, network segmentation plays a key role, if not the most important role, in ensuring that your confidential data remain confidential.
For Many IT Compliance Mandates, It Is A Requirement
If your organization is required to comply with cybersecurity mandates, proper network segmentation is likely not even optional, it is almost definitely required. As breaches continue to occur and as malicious actors continue to successfully social engineer organizations regulatory bodies continue to further increase the number and types of cybersecurity requirements.
Here are a few of the mandates and regulations that require network segmentation:
- NIST SP 800-53 Rev
- NIST SP 800-171
- NIST Cybersecurity Framework (CSF)
- Cybersecurity Maturity Model Certification (CMMC)
- International Traffic in Arms Regulations (ITAR)
- Defense Federal Acquisition Regulation Supplement (DFARS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS Compliance)
These are just a few examples and it is important to check with your specific compliance body for their requirements, as they can change at any time. But one thing is for sure, if you are not segmented, you are missing a critical component of your network security plan.
How is Network Segmentation Achieved?
The first step in any network segmentation effort should be an inventory and classification of all IT assets and the data that they contain. This should be followed by a risk assessment of those assets (physical and virtual). The organization will also need to assess the access requirements of each individual or personnel role within the company. This is a key step to ensure that access to segments is granted on a need-to-know and need-to-access basis; thereby, ensuring the integrity of each segment and continuing to reduce the attack surface. This also helps reduce social engineering risks by ensuring that only properly trained staff has access to the most sensitive resources. In all, these steps are crucial to ensuring that the logical resource groupings, which will make up the segments, are accurate in their lines of separation and there are no “bleed points” through which sensitive data could be lost.
The temptation to skip these early steps is often driven by a desire to “become compliant” sooner, to demonstrate faster forward progress, or to relieve the discomfort of feeling overwhelmed by the task at hand. Yet, it is impossible to properly segment a network without first understanding the network composition in its entirety. By dedicating the necessary resources to the inventory and risk assessment steps, an organization can expect a smoother transition to an effectively segmented network.
Once the inventory and classification process is complete, the organization will need to define one or more DMZs. The DMZ is a key part of network segmentation as it provides a secure area between the public Internet and the internal, protected networks. The DMZ should be used to host systems that are accessible from the public Internet but should not store any confidential or sensitive data. This could include web servers, email servers, and other systems that are used to deliver public-facing content and services.
From the DMZ, Access Control Lists (ACL) can be created to connect to other network segments of the network, providing access to the resources that are required by the users and roles within the organization.
For each network segment, ACLs can be based on IP addresses, network protocols, or even application layer data. The key is that the ACLs are tailored to the specific needs of the organization and the data that is being protected.
Once the ACLs are in place, continuous monitoring and enforcement is essential to ensure that access remains restricted to authorized users only. This is where a good Security Information and Event Management (SIEM) solution can be valuable, as it can help to quickly detect any unauthorized activity on the network.
Network segmentation is one of the most important steps that an organization can take to improve their network security. By properly classifying and inventorying their IT assets, an organization can add a layer of security by restricting access to those assets on a need-to-know basis. By adding a DMZ and ACLs, the organization can further reduce their risk by separating public-facing systems from the internal, protected networks. And, by using a SIEM solution, organizations can quickly detect any unauthorized activity on the network.