In this post, I’m going to show you how you can make your network more resilient to attacks like ransomware.
In fact, you can stop hackers dead in their tracks.
We’re going to discuss network segmentation.

So, what is network segmentation?
Network segmentation is an approach for dividing a computer network into smaller networks or zones to reduce the amount of communication between devices. Segmenting a network can be accomplished both physically and virtually. It is beneficial for reducing congestion, improving performance and enhancing security.

Network Segmentation Overview

Network segmentation is an effective way to limit how devices on your network can interact.
You see:
There’s really no reason why a device should be able to communicate with every other device on the network.
Your desktop computer, for example, shouldn’t be able to communicate with every other computer, printer, and smart device on your network.
There are so many ways that could go wrong.
Many small and medium sized companies that we test fail to implement segmentation.

You may not realize it, but your local area network (LAN) is actually already separated to some extent.
An IPv4 network subnet has a range of 256 IP addresses – with one reserved for the gateway and another for broadcasting messages.
This means that only 254 devices can communicate on a standard IPv4 network.
For two network segments to communicate, they must route traffic through a router or a layer 3 switch (switches capable of communicating between subnets like a router would).
However, 254 devices is typically still way too many devices.
Take broadcast messages as an example.
If you have 254 devices sending out broadcast messages, that’s a lot of unnecessary traffic that your computers have to read and process.

But, if you segment your network so that only 15 devices are on the segment, you’ve reduced broadcast messages by 85%.

NIST & PCI network segmentation guidance

Segmentation isn’t just a best practice that security practitioners suggest.
Leading security frameworks endorse and require it.
In 2016, NIST published special publication 800-125B that outlined secure network configurations as a way to protect virtual machines.
The guidance focuses on segmentation for protecting virtual machines, but it still makes an important point around segmentation.
Network segmentation is a preliminary step for a defense-in-depth network security strategy.

The PCI security standards also published guidance on segmentation.
Under PCI, organizations are required to segment the Cardholder Data Environment (network where credit card transactions occur) from other corporate networks.

Network Segmentation Methods

The two main methods for segmenting a network are physically and virtually.
Physical segmentation does just what the name implies – network segments are separated physically.
Usually, this is done by a router.

In this example, two buildings on a campus have their networks physically separated.
Physical network segmentation can be very expensive though.
Think about your own small business.
If you were to segment your network based on departments, how many routers would you have to buy, configure, and implement?
One for HR, shipping, accounting…
That is why virtual network segmentation is the better choice for most organizations

Virtual network segmentation uses network technology to create network segments.
This is usually done with virtual local area networks (VLAN).
In short, VLANs add a special tag to network packets that identify which VLAN they are communicating with.

This allows you to have all of the benefits of segmentation without having to use physical devices.

Check out the Small Business Cybersecurity Guide – 5 Phases to drastically improve security at your organization.

Designing network segments

If you are planning to implement segmentation, you need to plan the segments you want before you begin configuring them.
Here are some segments that you may want to think about:

Demilitarized Zones (DMZs)

DMZs are subnets or segments used for containing services that must communicate with the internet.
Usually servers like email, websites, FTP, or any publicly accessible devices are put in this zone.

Traffic from the DMZ to the LAN is restricted.

Guest wireless networks

Many companies have guests visit that want to use the company’s WiFi.
This is fine, but there is usually no reason for them to access anything on your company’s network.
The same is true for your employee’s personal devices – phones, tablets, watches, etc.
You should consider having a segmented guest network for these cases.

IT management network

A lot of times, administrative workstations and those used by the IT department require elevated privileges and more applications.
This put the devices at greater risk.
Segmenting these devices is a great way to mitigate that risk.
Note: we once took down an entire organization during a penetration test because we found an IT workstation that had complete access to their network.

VoIP networks

Phone systems typically work better without the interference of other network devices.
Settings like Quality of service can help with that, but complete segmentation has security benefits.
A lot of VoIP phones don’t support network authentication protocols.
Attackers can use these phones’ access to the network to bypass security controls.

Industrial control systems

There’s been a lot of talk in recent years about the vulnerabilities in industrial control systems.
They weren’t designed with security at the forefront of concerns and are present in so many ways.
It’s a frightening vulnerability.
Segmentation of these systems is a must do, especially in manufacturing or power and water facilities.

Benefits of network segmentation

As we touched on previously, network segmentation is beneficial in a few ways – usability and security.
For usability, your systems don’t have to work nearly as hard when they operate within a zone.
They’ll receive less broadcast messages to process and you will get better performance overall.
This improved performance can sometimes be quite noticeable when you have VoIP systems.

Security benefits of segmenting your network

Creating network zones or segments has profound security benefits.
Speaking from an attackers’ perspective, when we do a test on a site with segmentation in place, it is much more difficult.
If an attacker is able to gain access to a “flat” network, they can access every system they want to.
When they are in a segmented network, on the other hand, they have to work to find a route to other systems.
This gives you more time to find them before they can do serious damage.
Additionally, you will get the ability to quickly isolate attacks (think ransomware), better access control, and better monitoring.
In fact, network segmentation is such a powerful security strategy that it is one of the pillar concepts in the Zero Trust architecture that is changing the way we think about cybersecurity.

Conclusion

Network segmentation is a must-do step in securing your network environment.
It’s one part of the defense-in-depth strategy that you must implement if you hope to withstand today’s attackers.
There are numerous benefits for both performance and security.

Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF
close-link
Get the Exclusive Bonus
Privacy Checklists and My Favorite Resources

Get Instant Access! 
Your information will never be shared
close-link
LET'S FIGURE OUT HOW TO HELP YOU BECOME A CYBER HERO + FREE STUFF!

Reasons to Subscribe to the CyberX Email List:

 
CLICK HERE TO SUBSCRIBE

 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 
 

close-link

Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free. 
 
DOWNLOAD THE FREE GUIDE
close-link

Would the SMB Cybersecurity Plan Be Helpful?

Do you want a proven plan for security for your SMB? How about a logical plan for reducing the risk of breaches?
DOWNLOAD THE FREE GUIDE
close-link
Pivot To Infosec Virtual Summit - Are you wanting to pivot to infose?
Check Out Free Event
close-image

SAVE MY SPOT!
shares