Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. This series of blog posts will describe the different types of segmentation, the benefits of each, and applicable controls to maximize the security they provide.
With regards to network segmentation, the international ISO 27002 security standard says:
“One method of managing the security of large networks is to divide them into separate network domains. The domains can be chosen based on trust levels (e.g., public access domain, desktop domain, server domain), along with Organizational units (e.g., human resources, finance, marketing) or some combination (e.g., server domain connecting to multiple Organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g., virtual private networking).
The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using a gateway (e.g., firewall, filtering router). The criteria for segregation of networks into domains and the access allowed through the gateways should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control policy, access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology.
Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy before granting access to internal systems.
The authentication, encryption, and user-level network access control technologies of modern, standards-based wireless networks may be sufficient for direct connection to the organization’s internal network when properly implemented.”
The key take-away from this is around the choice of network segments or “domains” which are based on access requirements and risk levels, to provide an adequate level of security to the network. The domains that will be covered in these posts are:
Traffic from untrusted networks, including the public Internet and third parties such as clients, should be segregated from an organization’s corporate network. This isolates the untrusted traffic onto a dedicated network segment, limiting the scope of systems accessible to it and so reducing the threat from these sources.
This is usually achieved through the use of a De-Militarised Zone (DMZ), a network isolated from all other networks through using firewall appliances or similar. Traffic should only be permitted to enter the DMZ network from authorized sources for specific targets, and traffic should only be allowed to leave the DMZ network to authorized destinations. This significantly reduces the scope of an attack by reducing the number of available systems. A network can be thought of as a series of concentric rings with the DMZ as the outer ring, and with each inner layer having a higher trust level, with access between each of the rings restricted to an access control policy and managed by suitable security appliances.
If more than one different untrusted network terminates inside a DMZ, these should also be isolated from each other to prevent an attack crossing these networks. For example, a DMZ might terminate connections from the public internet and also from different trusted clients. It is important that an organization does not permit an attack coming from the Internet or one of the other networks to propagate to either the internal corporate network or to the other networks within the DMZ. Allowing an attacker to connect from a corporate connection into a client’s network could lead to both reputational and financial damages to the Organization, whether from direct costs imposed by an affected client or indirectly through loss of business.
In 2013, the US retailer Target was breached in an incident that was directly attributed to a connection from a third-party, non-IT vendor which had remote access to Target’s network. The attackers were able to use this connection to gain access to the wider Target network, and eventually to the credit card data processing systems.
It is also common to find systems within a DMZ which operate at different security or trust levels, and these should be isolated from each other to prevent an attack or infection spreading between them. For example, a DMZ might host both production and development web servers, and as development servers may be less securely configured than production servers, it is important that these are isolated from each other to prevent any compromise from spreading beyond the development environment into production systems.
VLANs can provide an adequate level of segmentation between the trust domains within a DMZ, providing that they are non-routable by default (except where specifically permitted) and that any routing is controlled using security appliances such as a firewall or combined firewall/router device.
In an ideal configuration, the firewalls used to isolate untrusted networks from a DMZ should be physically different from those separating a DMZ from an Organization’s corporate network. This double security layer helps to guarantee that a compromise or misconfiguration at one edge of a DMZ will not affect the other, as well as making intentional compromise harder to achieve due to separate devices requiring configuration to permit this. The Cisco SAFE Reference Guide states:
It is recommended that two separate firewalls are used to provide remote access functionality. Although a single pair of firewalls could be leveraged for both remote access and corporate access, it is a good practice to keep them separate.
Access for guest to an Organization is a specific case of untrusted access. While it is often desirable to offer guests a method to connect to the Internet to access their own services, there should be no need for them to connect to the corporate network; the exception to this may be employee-owned or “Bring Your Own Device (BYOD)”, which will be addressed in a future article. An Organization will typically have no insight into the “cleanliness” of a guest’s device, which could already be compromised by an attacker or infected with malware which could then spread into the corporate network. Networks provided for guests to connect should be physically separated from the corporate network to prevent the possibility of them being used to compromise the network.
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.