Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
What is Network Segmentation?
Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each is a separate network segment. Segmented networks can be isolated from each other, which increases the network’s security.
Our Network Segmentation Series describes the different types of segmentation, their benefits to business and enterprise risk management, and the appropriate controls to maximise the security they provide.
The international ISO 27002 security standard says of network segmentation:
“One method of managing the security of large networks is to divide them into separate network domains. The domains can be chosen based on trust levels (e.g., public access domain, desktop domain, server domain), along with Organizational units (e.g., human resources, finance, marketing) or some combination (e.g., server domain connecting to multiple Organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g., virtual private networking).
“The perimeter of each domain should be well-defined. Access between network domains is allowed but should be controlled at the perimeter using a gateway (e.g., firewall, filtering router). The criteria for segregation of networks into domains and the access allowed through the gateways should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control policy, access requirements, value and classification of information processed, and also take account of the relative cost and performance impact of incorporating suitable gateway technology.
“Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy before granting access to internal systems.
“The authentication, encryption, and user-level network access control technologies of modern, standards-based wireless networks may be sufficient for direct connection to the organization’s internal network when properly implemented.”
The key takeaway from this is the choice of network segments or “domains” based on access requirements and risk levels, which provide an adequate level of security to the network. The domains that we will cover in our Network Segmentation Series are:
- Untrusted and Public Networks
- Wide Area Networks (WAN)
- Local Area Networks (LAN)
- Wireless Networks
Segmentation of Untrusted and Public Networks
Traffic from untrusted networks, including the public Internet and third parties (such as clients), should be segregated from an organisation’s corporate network. Segregation, in this way, isolates the untrusted traffic in a dedicated network segment, limiting the systems accessible to it and reducing the threat from these sources.
We achieve this security through a De-Militarised Zone (DMZ) – a network isolated from all other networks through firewall appliances or similar.
Traffic should only be permitted to enter the DMZ network from authorised sources for specific targets, and traffic should only be allowed to leave the DMZ network to reach authorised destinations. Reducing the number of available systems decreases the scope of an attack.
We can think of a network as a series of concentric rings, with the DMZ as the outer ring. Each inner layer has a higher trust level, and access between each ring is restricted by an access control policy and managed by suitable security appliances.
If more than one different untrusted network terminates inside a DMZ, these should also be isolated from each other to prevent an attack from crossing these networks.
For example, a DMZ can terminate connections from the public Internet and different trusted clients. An organisation mustn’t allow an attack from the Internet or another network to propagate to either the internal corporate network or the other networks within the DMZ. Allowing an attacker to connect from a corporate connection into a client’s network could lead to reputational and financial damages to the Organization, whether from direct costs imposed by an affected client or indirectly through loss of business.
In 2013, the US retailer Target suffered a breach from a third-party, non-IT vendor connection that had remote access to Target’s network. The attackers were able to use this connection to gain access to the wider Target network and eventually to the credit card data processing systems.
Network Segmentation Across Internal System Trust Levels
It is common to find systems within a DMZ that operate at different security or trust levels. These should be isolated to prevent an attack or infection from spreading between them.
For example, a DMZ might host both production and development web servers. As development servers may be less securely configured than production servers, these must be isolated from each other to prevent any compromise from spreading beyond the development environment into production systems.
VLANS and Firewalls
VLANs can provide an adequate level of segmentation between the trust domains within a DMZ, providing that they are non-routable by default (except where expressly permitted) and that any routing is controlled using security appliances such as a firewall or combined firewall/router device.
In an ideal configuration, the firewalls that isolate untrusted networks from a DMZ should be physically different from those that separate a DMZ from an organisation’s corporate network. This double security layer helps guarantee a compromise or misconfiguration at one edge of a DMZ will not affect the other. It will also make intentional compromise harder to achieve, as separate devices will require configuration to permit this.
The Cisco SAFE Reference Guide states:
It is recommended that two separate firewalls are used to provide remote access functionality. Although a single pair of firewalls could be leveraged for both remote access and corporate access, it is a good practice to keep them separate.
Securing Guest Access
Access for a guest to an organisation is a specific case of untrusted access. While it is often desirable to offer guests a method to connect to the Internet to access their own services, they should not need to connect to the corporate network. The exception may be employee-owned or Bring Your Own Device (BYOD).
An organisation will typically have no insight into the “cleanliness” of a guest’s device, which could already be compromised by an attacker or infected with malware, which could then spread into the corporate network. Organisations should physically separate networks provided for guests to connect to from the corporate network to prevent them from being used to compromise the network.
How can SureCloud help?
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
We offer a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation.
SureCloud is certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform). We act as an extension of your in-house security team and ensure you have everything you need to improve your risk posture.Cyber Risk Management Capability