Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Cyber Risk Management, Adversary Services

Network Segmentation: The Key to Minimising Threats from Untrusted Devices

Network Segmentation: The Key to Minimising Threats from Untrusted Devices
Written by

Ellie Owen

Published on

20 Jul 2019

Network Segmentation: The Key to Minimising Threats from Untrusted Devices


What is Network Segmentation?

Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each is a separate network segment. Segmented networks can be isolated from each other, which increases the network’s security. 


Our Network Segmentation Series describes the different types of segmentation, their benefits to business and enterprise risk management, and the appropriate controls to maximise the security they provide.


The international ISO 27002 security standard says of network segmentation:


“One method of managing the security of large networks is to divide them into separate network domains. The domains can be chosen based on trust levels (e.g., public access domain, desktop domain, server domain), along with Organizational units (e.g., human resources, finance, marketing) or some combination (e.g., server domain connecting to multiple Organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g., virtual private networking).


“The perimeter of each domain should be well-defined. Access between network domains is allowed but should be controlled at the perimeter using a gateway (e.g., firewall, filtering router). The criteria for segregation of networks into domains and the access allowed through the gateways should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control policy, access requirements, value and classification of information processed, and also take account of the relative cost and performance impact of incorporating suitable gateway technology.


“Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy before granting access to internal systems.


“The authentication, encryption, and user-level network access control technologies of modern, standards-based wireless networks may be sufficient for direct connection to the organization’s internal network when properly implemented.”


The key takeaway from this is the choice of network segments or “domains” based on access requirements and risk levels, which provide an adequate level of security to the network. The domains that we will cover in our Network Segmentation Series are:

  • Untrusted and Public Networks
  • Wide Area Networks (WAN)
  • Local Area Networks (LAN)
  • Wireless Networks 


Segmentation of Untrusted and Public Networks

Traffic from untrusted networks, including the public Internet and third parties (such as clients), should be segregated from an organisation’s corporate network. Segregation, in this way, isolates the untrusted traffic in a dedicated network segment, limiting the systems accessible to it and reducing the threat from these sources.


We achieve this security through a De-Militarised Zone (DMZ) – a network isolated from all other networks through firewall appliances or similar. 


Traffic should only be permitted to enter the DMZ network from authorised sources for specific targets, and traffic should only be allowed to leave the DMZ network to reach authorised destinations. Reducing the number of available systems decreases the scope of an attack. 


We can think of a network as a series of concentric rings, with the DMZ as the outer ring. Each inner layer has a higher trust level, and access between each ring is restricted by an access control policy and managed by suitable security appliances.



If more than one different untrusted network terminates inside a DMZ, these should also be isolated from each other to prevent an attack from crossing these networks. 


For example, a DMZ can terminate connections from the public Internet and different trusted clients. An organisation mustn’t allow an attack from the Internet or another network to propagate to either the internal corporate network or the other networks within the DMZ. Allowing an attacker to connect from a corporate connection into a client’s network could lead to reputational and financial damages to the Organization, whether from direct costs imposed by an affected client or indirectly through loss of business.


In 2013, the US retailer Target suffered a breach from a third-party, non-IT vendor connection that had remote access to Target’s network. The attackers were able to use this connection to gain access to the wider Target network and eventually to the credit card data processing systems.


Network Segmentation Across Internal System Trust Levels

It is common to find systems within a DMZ that operate at different security or trust levels. These should be isolated to prevent an attack or infection from spreading between them.


For example, a DMZ might host both production and development web servers. As development servers may be less securely configured than production servers, these must be isolated from each other to prevent any compromise from spreading beyond the development environment into production systems.


VLANS and Firewalls

VLANs can provide an adequate level of segmentation between the trust domains within a DMZ, providing that they are non-routable by default (except where expressly permitted) and that any routing is controlled using security appliances such as a firewall or combined firewall/router device.


In an ideal configuration, the firewalls that isolate untrusted networks from a DMZ should be physically different from those that separate a DMZ from an organisation’s corporate network. This double security layer helps guarantee a compromise or misconfiguration at one edge of a DMZ will not affect the other. It will also make intentional compromise harder to achieve, as separate devices will require configuration to permit this. 


The Cisco SAFE Reference Guide states:

It is recommended that two separate firewalls are used to provide remote access functionality. Although a single pair of firewalls could be leveraged for both remote access and corporate access, it is a good practice to keep them separate.


Securing Guest Access

Access for a guest to an organisation is a specific case of untrusted access. While it is often desirable to offer guests a method to connect to the Internet to access their own services, they should not need to connect to the corporate network. The exception may be employee-owned or Bring Your Own Device (BYOD). 


An organisation will typically have no insight into the “cleanliness” of a guest’s device, which could already be compromised by an attacker or infected with malware, which could then spread into the corporate network. Organisations should physically separate networks provided for guests to connect to from the corporate network to prevent them from being used to compromise the network. 


How can SureCloud help?

SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.


We offer a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. 


SureCloud is certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform). We act as an extension of your in-house security team and ensure you have everything you need to improve your risk posture.