Risk management and compliance are two of the top concerns for any business reliant on digital systems – which is just about every business in today’s tech-forward world. Network segmentation is one of the broader ways businesses can protect their systems, even when their workforce and offices are spread out.

Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. This series of blog posts will describe the different types of segmentation, their benefits, and applicable controls to maximize the security they provide.

Segmentation of Wide Area Networks (WAN)

In Network Segmentation Part 1, we discussed protecting the corporate network from external parties. This article will review the controls applicable to a geographically dispersed Wide Area Network (WAN), as used by many larger organizations to connect multiple offices.

What are Wide Area Networks used for?

An organization will often use a Wide Area Network (WAN) to join geographically disparate offices and sites, connecting them to the main corporate network using an MPLS network, VPN, or similar method. In many cases, these sites are connected directly to each other, with no security appliances in place to restrict traffic between these sites, relying on physical security controls in each location to protect the network. Due to this, a compromise at one site, whether achieved through an attacker gaining physical access to the local network or through remote compromises, such as a malware infection against a connected device, could enable an attack to target systems in remote sites. This could include compromising remote systems which are affected by unpatched or “zero-day” vulnerabilities.

For example, an attacker who has gained access to the corporate network via a remote “satellite” office, potentially in a different country to the main corporate systems, may be able to identify and connect to vulnerable systems or services on other systems elsewhere on the corporate network. These could then be used to gain access to unauthorized information, to create a “back door” into the network to allow them to reconnect in the future, or to “pivot” further onto other vulnerable systems elsewhere on the network.

How can Wide Area Network segregation boost security?

A lack of WAN segregation could also allow a malware infection to spread throughout the entire corporate network, rather than being isolated to a small network where it can more easily be contained. There were reports of networks still hosting the Conficker malware, due primarily to insufficient segregation, as recently as June 2016, more than seven years after its initial release. In 2017, Conficker was also found to be related to the delivery of the Wannacry ransomware. The APT1 report from Mandiant demonstrated that attackers might be able to remain inside networks without being detected for over 12 months. While segregation would not prevent this, it would reduce the scope to which an attacker could compromise the network.

“Big networks tend to become unmanageable in terms of security unless there is some form of separation between parts of the network. In a country-wide network that is internally completely open, a security incident such as a break-in in one office might require all hosts of the entire network to be reinstalled to ensure that the attacker has not left some Trojan horses somewhere. An increasing number of companies are securing their internal networks additionally by, for example, separating offices with firewalls. This is, in general, a good security practice.”

Provision of firewalls or combined router/firewall devices at the edge of office networks should limit the inbound and outbound traffic between remote sites to only authorized sources and destinations and only for the minimum number of authorized services. When this is in place, the connections between sites would be limited to the specific services or systems required by each site and only from specific networks within each site.

For example, the end-user network in a remote site may be allowed connection to the Intranet servers located at another location, and Domain Controllers would be allowed to replicate traffic to remote Domain Controllers, but the end-user network would only be able to access the local Domain Controllers. As well as restricting the source and destinations of traffic, the individual services should be restricted to only those necessary. For example, only HTTP ports such as 80 and 443 would typically be required to connect to the aforementioned Intranet server.

“Network policy enforcement on the WAN edge can be extended to include the enforcement of different security policy domains through the integration of firewall functionality. A firewall provides additional protection from unauthorized access and stateful application and protocol inspection.”

Want to know more?

Our cyber risk management experts are your go-to for advice and information about making your WAN more robust. Take a look at our Cyber Risk Management capability, or consider penetration testing as a way to identify weaknesses in your cybersecurity posture.

About SureCloud

SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management and compliance products, which reinvent the way you manage risk.

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.