In this post, I’m going to show you how you can make your network more resilient to attacks like ransomware.
In fact, you can stop hackers dead in their tracks.
We’re going to discuss network segmentation.
So, what is network segmentation?
Network segmentation is an approach for dividing a computer network into smaller networks or zones to reduce the amount of communication between devices. Segmenting a network can be accomplished both physically and virtually. It is beneficial for reducing congestion, improving performance and enhancing security.
Network Segmentation Overview
Network segmentation is an effective way to limit how devices on your network can interact.
There’s really no reason why a device should be able to communicate with every other device on the network.
Your desktop computer, for example, shouldn’t be able to communicate with every other computer, printer, and smart device on your network.
There are so many ways that could go wrong.
Many small and medium sized companies that we test fail to implement segmentation.
You may not realize it, but your local area network (LAN) is actually already separated to some extent.
An IPv4 network subnet has a range of 256 IP addresses – with one reserved for the gateway and another for broadcasting messages.
This means that only 254 devices can communicate on a standard IPv4 network.
For two network segments to communicate, they must route traffic through a router or a layer 3 switch (switches capable of communicating between subnets like a router would).
However, 254 devices is typically still way too many devices.
Take broadcast messages as an example.
If you have 254 devices sending out broadcast messages, that’s a lot of unnecessary traffic that your computers have to read and process.
But, if you segment your network so that only 15 devices are on the segment, you’ve reduced broadcast messages by 85%.
NIST & PCI network segmentation guidance
Segmentation isn’t just a best practice that security practitioners suggest.
Leading security frameworks endorse and require it.
In 2016, NIST published special publication 800-125B that outlined secure network configurations as a way to protect virtual machines.
The guidance focuses on segmentation for protecting virtual machines, but it still makes an important point around segmentation.
Network segmentation is a preliminary step for a defense-in-depth network security strategy.
The PCI security standards also published guidance on segmentation.
Under PCI, organizations are required to segment the Cardholder Data Environment (network where credit card transactions occur) from other corporate networks.
Network Segmentation Methods
The two main methods for segmenting a network are physically and virtually.
Physical segmentation does just what the name implies – network segments are separated physically.
Usually, this is done by a router.
In this example, two buildings on a campus have their networks physically separated.
Physical network segmentation can be very expensive though.
Think about your own small business.
If you were to segment your network based on departments, how many routers would you have to buy, configure, and implement?
One for HR, shipping, accounting…
That is why virtual network segmentation is the better choice for most organizations
Virtual network segmentation uses network technology to create network segments.
This is usually done with virtual local area networks (VLAN).
In short, VLANs add a special tag to network packets that identify which VLAN they are communicating with.
This allows you to have all of the benefits of segmentation without having to use physical devices.
Check out the Small Business Cybersecurity Guide – 5 Phases to drastically improve security at your organization.
Designing network segments
If you are planning to implement segmentation, you need to plan the segments you want before you begin configuring them.
Here are some segments that you may want to think about:
Demilitarized Zones (DMZs)
DMZs are subnets or segments used for containing services that must communicate with the internet.
Usually servers like email, websites, FTP, or any publicly accessible devices are put in this zone.
Traffic from the DMZ to the LAN is restricted.
Guest wireless networks
Many companies have guests visit that want to use the company’s WiFi.
This is fine, but there is usually no reason for them to access anything on your company’s network.
The same is true for your employee’s personal devices – phones, tablets, watches, etc.
You should consider having a segmented guest network for these cases.
IT management network
A lot of times, administrative workstations and those used by the IT department require elevated privileges and more applications.
This put the devices at greater risk.
Segmenting these devices is a great way to mitigate that risk.
Note: we once took down an entire organization during a penetration test because we found an IT workstation that had complete access to their network.
Phone systems typically work better without the interference of other network devices.
Settings like Quality of service can help with that, but complete segmentation has security benefits.
A lot of VoIP phones don’t support network authentication protocols.
Attackers can use these phones’ access to the network to bypass security controls.
Industrial control systems
There’s been a lot of talk in recent years about the vulnerabilities in industrial control systems.
They weren’t designed with security at the forefront of concerns and are present in so many ways.
It’s a frightening vulnerability.
Segmentation of these systems is a must do, especially in manufacturing or power and water facilities.
Benefits of network segmentation
As we touched on previously, network segmentation is beneficial in a few ways – usability and security.
For usability, your systems don’t have to work nearly as hard when they operate within a zone.
They’ll receive less broadcast messages to process and you will get better performance overall.
This improved performance can sometimes be quite noticeable when you have VoIP systems.
Security benefits of segmenting your network
Creating network zones or segments has profound security benefits.
Speaking from an attackers’ perspective, when we do a test on a site with segmentation in place, it is much more difficult.
If an attacker is able to gain access to a “flat” network, they can access every system they want to.
When they are in a segmented network, on the other hand, they have to work to find a route to other systems.
This gives you more time to find them before they can do serious damage.
Additionally, you will get the ability to quickly isolate attacks (think ransomware), better access control, and better monitoring.
In fact, network segmentation is such a powerful security strategy that it is one of the pillar concepts in the Zero Trust architecture that is changing the way we think about cybersecurity.
Network segmentation is a must-do step in securing your network environment.
It’s one part of the defense-in-depth strategy that you must implement if you hope to withstand today’s attackers.
There are numerous benefits for both performance and security.