Locked doors behind locked doors discourage lazy threat actors and force them to look elsewhere. Therefore, there is no substitute for network segmentation when it comes to protecting your data.
Before we dive into what parts of the network to segment and how to do it, let’s level set with a definition.
What Is Network Segmentation?
Network segmentation is when different parts of a computer network, or network zones, are separated by devices like bridges, switches and routers.
Following are a few key benefits of network segmentation:
- Limiting access privileges to those who truly need it
- Protecting the network from widespread cyberattacks
- Boosting network performance by reducing the number of users in specific zones
Types of Network Zones
So how do you know what network zones your organization needs? Think about the different types of users and data you have and who needs access to what. Here are some examples of the types of network zones you may want to establish:
- Users: Users are a network in and of themselves. Make sure you have correct access privileges on your users in your active directory. Privilege levels should be based on the user’s role in switching administration. How many admins have full access rights? Make sure you have less than a handful.
- The Demilitarized Zone (DMZ): This includes the subnetworks that expose externally facing systems – where the handshakes take place on your network. For example, it may include public-facing websites or other resources accessible via the internet. You want to separate things that the public can access from your local area network (LAN) and internal data that needs to be protected.
- Guest Network: Guest Wi-Fi should be separate from the corporate Wi-Fi. This may seem like a no brainer, but I find a lot of smaller businesses never bother to set it up. Even residential routers include this feature – you can easily set up a guest Wi-Fi in your home!
- IT Workstations: This is the dev network zone for IT. It’s where your IT staff does non-administrative work, and it should be segmented for testing. I would also recommend giving IT a dedicated internet circuit for testing. This can be a best effort, cheaper connection. Don’t let anyone else in the company have access to it aside from IT.
- Servers by Department: Do department servers need to talk to one another? Create a public drive and a private drive, and then segment access on the private drives to those within each team or department. This can limit the crawl of malware.
- VoIP/Communications: Placing communications systems on their own network zone boosts performance and enhances quality. But in terms of network segmentation security, as communications move toward more APIs unique to your most used software as a service (SaaS) platforms, this network will become a more common attack plane.
- Traditional Physical Security: Cameras, ID card scanners, etc., should be in their own network zone. This is not to be taken lightly, as the risk of a physical breach can be more harmful than a digital one. There are a number of real-world examples of this, including in 2017, the closed-circuit camera network in Washington, D.C., was hacked, leaving police cameras unable to function for three days.
- Industrial Control Systems: HVAC, for example, like the non-segmented network compromised in the Target breach, should have two-factor authentication and be segmented.
I would suggest configuring your intrusion detection and intrusion prevention system (IDS/IPS) tools to monitor your internal segmented network zones, just as you would set them to monitor your public-facing networks. Make sure to review your logs or work with an IT partner that will double your vigilance and act as an extra set of eyes.
Moving to the cloud is a legitimate strategy for network segmentation, but as I wrote earlier this year, it doesn’t mean it’s easier or more secure. Learn more on why your cloud solutions deserve zero-trust networking.
Pro Tip: Planning for Network Segmentation
Unfortunately, this one has a mighty large time cost. The list above is a vast oversimplification of all the work that will need to be done to switches, the switch content addressable memory (CAM), ports, trunks, routers, virtual LANs (VLANs), etc. But I do believe that network segmentation combined with watching for phishing attempt red flags is the best way to secure your IT environment.
I would suggest creating the previously mentioned network segments and installing an IDS/IPS solution. But getting a project this large in scope completed requires a lot of planning. Here’s some suggestions to help get you moving:
- Analyze: Review the network zones list above and audit your existing network architecture. Define where the gaps are. Do you have all of the network checks and balances in place? If not, create a priority list.
- Educate: Educate stakeholders and decision makers, such as the executive team, about the importance of putting multiple forms of network segmentation into action. Create buy-in at the top level – network segmentation isn’t going to be free in terms of time or money, so you’ll need support.
- Research: Evaluate what hardware, services and partnerships you’ll have to procure and manage in order to get the job done properly.
- Propose: Create the business case and present to the powers that be at your organization.
- Communicate: Over-communicate to end users what will happen and when. This will be disruptive, so communication across the company is key. Make sure you are outlining timeframes and downtime, but even more importantly, make sure you are communicating why network segmentation is important for security and performance – this is where security awareness training comes in. At the end of the day, overcommunicating will help create an even stronger security culture of inclusion.
- Backup: Before making ANY changes – back everything up following the 3-2-1 rule:
- 3 copies of your data
- 2 backup copies stored on different types of storage media
- 1 copy stored offsite (ideally in a replicated data center, but colocation hosting will also work)
- Migrate: One last note about implementation – If you haven’t yet migrated elements of your infrastructure to Microsoft Office 365, a SaaS-based customer relationship management (CRM) tool, stateful cloud-based firewalls or a hosted file server, I would suggest making these fundamental changes before migration. Know that migration to the cloud will complicate your segmentation and your security, but it may be worth it.
Put these plans into action with our free guide, 7 Security Hacks to Use Now.
Check out the whole series on security awareness training:
- Passwords Are a Pain – But They Are Critical to IT Security
- How to Detect Phishing Attacks
- What Does a Phishing Email Look Like?
- Why You Need a Corporate Acceptable Use Policy
- Incident Response Plans and War Gaming