In a typical home environment, you plug in all your devices, allow them to access the internet, and that is all that needs to be done. All devices are connected to the internet but more importantly all the devices are allowed to talk to one another without any restrictions. Many times, this same mentality is brought into the business side of Information Technology where all devices are functioning as intended, but are on the same network with the ability to freely communicate with one another. While having all devices such as servers and workstations on the same network will not impact functionality, it greatly increases the risk of a successful security breach in an environment.
What is Network Segmentation?
Network segmentation divides a computer network into smaller sections. Instead of all devices being on the same network you would have smaller sections such as a server network or a workstation network. This way all traffic will need to pass through the firewall and see if a device has been permitted to speak to another device on a different segmented network. On a traditional unsegmented network, traffic would be allowed to go directly from one device to another without having to pass through the firewall. For example, your workstation network is 192.168.0.0/24 while your server network is 192.168.1.0/24.
What are the Security Benefits of Network Segmentation?
Network segmentation brings great benefits to an environment. Segmentation reduces the network congestion. If an end user is browsing social media and using high amounts of bandwidth it would not impact a device on a different segmented network. More importantly, network segmentation brings many security benefits to an environment. If a malicious file infects a device it is limited to only being spread to what that device is allowed to communicate with. With proper ACL firewall rules in place the infection will be more easily contained. Segmentation prevents malicious events to directly access and infect a critical server or other business critical device. Additionally, segmentation is used to protect vulnerable devices that may not be capable of being upgraded due to business continuity constraints. This can stop harmful traffic from ever reaching those vulnerable devices and adds the ability to lock them down as tight as possible.
How can Network Segmentation be Implemented?
Implementing network segmentation can sound daunting, especially when an entire company is already in production and running. But segmentation is quite easy when done properly. The most commonly used blue prints for a secure segmented environment are broken down based on needed zones:
- Server Zone – Information functions are enabled in this zone. This is where confidential data resides.
- Trust / User Zone – This is where user IP addresses are assigned. Organizations with multiple locations may have multiple user zones.
- Phone Zone – It is common practice to segregate voice from data traffic. Organizations with multiple locations may have multiple phone zones.
- Isolated Zone – – An isolated network with minimal access; a great way to still have vulnerable devices functioning while still applying the most optimal security measures possible.
- IT Management Zone – This is where network management systems reside.
- De-Militarized Zone (DMZ) – This is a semi-protected zone which organizations use to provide functionality to business partners and customers. It is segmented from the rest of the network by the core firewall. This is the only subnet that should be reachable from the Internet.
While network segmentation can greatly increase the security of an environment while reducing risk, it is important proper rules and principle of least privilege are correctly configured. If you have network segmentation but the access rules are neglected it defeats the entire purpose of network segmentation in the first place.
In cybersecurity you routinely hear about layers of security and a properly segmented network is a key layer to protecting critical assets and information from threat actors. If you have questions about your network or segmentation, Secure Compliance Solutions has experts to answer questions and assist you with your network.