Locked doors behind locked doors discourage lazy threat actors and force them to look elsewhere. Therefore, there is no substitute for network segmentation when it comes to protecting your data.
Before we dive into what parts of the network to segment and how to do it, let’s level set with a definition.
What Is Network Segmentation?
Network segmentation is when different parts of a computer network, or network zones, are separated by devices like bridges, switches and routers. Network segmentation is a discipline and a framework that can be applied in the data center and on premises at your facilities.
Following are a few key benefits of network segmentation:
- Limiting access privileges to those who truly need it
- Protecting the network from widespread cyberattacks
- Boosting network performance by reducing the number of users in specific zones
Why Is Network Segmentation Important?
Firewalls have to do far too much these days: From real-time learning behavioral analytics all the way down to allowing necessary cookies for user experience. Firewalls are very strict and follow established firewall rules, but they don’t do everything to protect your digital assets. What’s more, they can quickly become an outdated generation firewall. Your static IP addresses deserve to be protected, and they need backup beyond the front lines.
What happens when a threat actor penetrates the firewall via a phishing attempt, for example? Systems and services need to be isolated from one another to prevent a small breach from becoming a massive incident that leads to a data breach.
It’s one thing to have your smart lighting system compromised, but it’s another to have your customer data stolen. These are both virtualized functions for many businesses, but they are not nearly the same in terms of risk and liability.
If the business in the above example practices proper network segmentation and is hacked via their smart lighting system (this isn’t uncommon), the threat actor will find another obstacle. Basically, it’s like turning a corner within a hedge maze to find a dead end: the threat actor will have to work their way backward and attempt to find other access points to the systems and data they are attempting to compromise. At this point, most cybercriminals are going to get discouraged and look for an easier target.
Whether you are running a virtual local area network (LAN) in the cloud or running an SDN-powered architecture, network segmentation will protect your assets.
Types of Network Segmentation
So how do you know what network zones your organization needs? Think about the different types of users and data you have and who needs access to what.
Here are some examples of the types of network zones you may want to establish:
- Users:Users are a network in and of themselves. Make sure you have correct access control on your users in your active directory. Who needs the least privilege on your network? Privilege levels should be based on the user’s role in switching administration. How many admins have full access rights? Make sure you have less than a handful. Access control lists are typically already a part of your active directory server. The idea here is you are extending that practice to more components of your network.
- Screened Subnet:This includes the subnetworks that expose externally facing systems – where the handshakes take place on your network. For example, it may include public-facing websites or other resources accessible via the internet. You want to separate things that the public can access from your local area network (LAN) and internal data that needs to be protected.
- Guest Network:Guest Wi-Fi should be separate from the corporate Wi-Fi. This may seem like a no brainer, but I find a lot of smaller businesses never bother to set it up. Even residential routers include this feature – you can easily set up a guest Wi-Fi in your home!
- IT Workstations:This is the dev network zone for IT. It’s where your IT staff does non-administrative work, and it should be segmented for testing. I would also recommend giving IT a dedicated internet circuit for testing. This can be a best effort, cheaper connection. Don’t let anyone else in the company have network access to it aside from IT.
- Servers by Department:Do department servers need to talk to one another? Create a public drive and a private drive, and then segment access on the private drives to those within each team or department. This can limit the crawl of malware.
- VoIP/Communications:Placing communications systems on their own network zone boosts performance and enhances quality. But in terms of network security, as communications move toward more APIs unique to your most used software as a service (SaaS) platforms, this network will become a more common attack surface.
- Traditional Physical Security:Cameras, ID card scanners, etc., should be in their own network zone. This is not to be taken lightly, as the risk of a physical breach can be more harmful than a digital one. There are a number of real-world examples of this, including in 2017,the closed-circuit camera network in Washington, D.C., was hacked,leaving police cameras unable to function for three days.
- Industrial Control Systems:HVAC, for example, like the non-segmented network compromised in the Target breach, should have two-factor authentication and be segmented.
- Customer Databases: Due to compliance requirements, customer databases need to be secured more intently than, for instance, your print server. PCI-DSS, HIPAA, HiTRUST, FINRA, GDPR and other pieces of data legislation will determine the level of segmentation and cybersecurity that would be best practice in terms of implementation.
I would suggest configuring your intrusion detection and intrusion prevention system (IDS/IPS) tools to monitor your internal segmented network zones, just as you would set them to monitor your public-facing networks. Make sure to review your logs or work with an IT partner that will double your vigilance and act as an extra set of eyes.
Moving to the cloud is a legitimate strategy for network segmentation, but as I have written before, it doesn’t mean it’s easier or more secure. Learn more onwhy your cloud solutions deserve zero-trust networking.
Who Needs Network Segmentation?
Everyone running internal systems, whether physical or virtualized, to meet business needs network security. The more complicated the architecture, the more important the need for segmentation. The only users who won’t need network segmentation are businesses that rely 100% on software as a service (SaaS)solutions or alternatively a business that operates offline/without IT services.
If you’re running a flat network to simplify the number of switches, you’re going to be an ideal target for a threat actor. While a flat network may save you time and money in the initial setup, you are leaving yourself open to being burned on the back end. That type of easy, lateral movement across the entire network will allow the bad guys to get wherever they want to go with little to no resistance.
Each customer will require a different level of segmentation.
There is no substitute for network segmentation. Micro-segmentation requires some time to initially set up, but the benefits highly outweigh the upfront time cost.
Benefits of Network Segmentation
While safety and security are critical benefits unto themselves, the following are also excellent advantages when it comes to network segmentation:
- Damage control and limitation in case of an incident via the smaller attack surface
- Improved access control for external and internal network security
- Reducing the attack plane and scope of compliance requirements related auditing
- Improved performance with less congestion on network traffic
- Better analytics around network monitoring, network access and network devices
- Endpoint device protection, especially important as IoT devices become more common
Network segmentation can boost your overall security policy by limiting access privileges to those who need it, protecting the network from widespread cyberattacks and enabling better network performance by reducing the number of users in specific zones.
Learn More About Network Segmentation
Network segmentation is covered in theCompTIA Security+ (SY0-601)exam.
Specifically, it’s covered by the following topics within Exam Objective 3.3: Given a scenario, implement secure network designs:
- Virtual local area network (VLAN)
- East-west traffic
- Zero trust
Studying the topics covered in CompTIA Security+ will give you the foundational cybersecurity skills needed for IT jobs such as systems administrator, network administrator and security administrator. Then, take the next step to earn the CompTIA Security+ certification to prove to employers you have the skills needed for beginner cybersecurity jobs.
Get started today! Download the CompTIA Security+ (SY0-601) exam objectivesfor free.
Read more from David Landsberger:
- Passwords Are a Pain – But They Are Critical to IT Security
- How to Detect Phishing Attacks
- What Does a Phishing Email Look Like?
- Why You Need a Corporate Acceptable Use Policy
- Incident Response Plans and War Gaming
What is network segmentation and why it is important? ›
Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies.Why is segmentation of the network important for network security? ›
By segmenting networks, it becomes easier to protect the most sensitive data that you have on your internally-facing network assets. The creation of a layer of separation between servers containing sensitive data and everything outside of your network can do wonders to reduce your risk of data loss or theft.What is network segmentation with example? ›
Network segment examples
Typically segmentation is done through a combination of firewalls, Virtual Local Area Networks (VLANs), and Software Defined Networking (SDN). VLAN segmentation: Networks are typically segmented with VLANs or subnets. VLANs create smaller network segments that connect hosts virtually.
A network segment is a portion of a computer network. The nature and extent of a segment depends on the nature of the network and the device or devices used to interconnect end stations.What are the goals of network segmentation? ›
The main goal of network segmentation is to have a better handle on managing security and compliance. Typically, traffic is segregated between network segments using VLANs (virtual local area networks), with firewalls representing an additional layer of security for application and data protection.What is the main idea of segmentation? ›
Segmentation analysis is a marketing technique that, based on common characteristics, allows you to split your customers or products into different groups. This in return gives the ability to create tailor-made and relevant advertisement campaigns, products or to optimize overall brand positioning.What are the three advantages of network segmentation? ›
Following are a few key benefits of network segmentation: Limiting access privileges to those who truly need it. Protecting the network from widespread cyberattacks. Boosting network performance by reducing the number of users in specific zones.How does segmentation help to improve a network performance? ›
Segmented networks can boost network performance by containing certain traffic only to the portions of the network needing to see it, and can help to localize technical network issues.What are the benefits of segmenting a network? ›
- Prevent lateral movement. ...
- Realize Zero Trust security. ...
- Simplify compliance. ...
- Identity-based access control. ...
- Secure cloud workloads.
Segmentation divides a patient population into distinct groups—each with specific needs, characteristics, or behaviors—to allow care delivery and policies to be tailored for these groups. The idea of segmenting patients for integrated care is not new. In 1970 Sidney R.
Why is cell segmentation important? ›
Using cell segmentation, scientists are able to analyze relevant biological features such as cell count, type, division, shape, etc. Scientists can quickly evaluate how these features change over time and in response to a variety of conditions.