Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Improving Security via Proper Network Segmentation

Recent headlines around data breaches have highlighted a common security mishap – improper network segmentation.

Recent headlines around data breaches have highlighted a common security mishap – improper network segmentation.

Let’s face it, there is no such thing as being 100% secure. If an attacker really wants to get into your network, they will find a way. So you don’t want a single point of failure. Once unauthorized access is gained, network segmentation or “zoning” can provide effective controls to mitigate the next step of a network intrusion and to limit further movement across the network or propagation of a threat.

By properly segregating the network, you are essentially minimizing the level of access to sensitive information for those applications, servers, and people who don’t need it, while enabling access for those that do. Meanwhile you’re making it much more difficult for a cyber-attacker to locate and gain access to your organization’s most sensitive information.

Network Segmentation

Regulatory Guidance and Best Practices

Standards such as PCI-DSS provide guidance on creating clear separation of data within the network – in the case of PCI, cardholder data should be isolated from the rest of the network, which contains less sensitive information. An example would be to ensure that  Point-of-Sale (PoS) systems and databases are completely separated from areas of the network where third parties have access. In this example a PCI Zone would be created with stringent constraints allowing connectivity for as few servers and applications as possible.

Routes to Achieve Proper Segmentation

Firewall and VLANs provide a route to partition the network into smaller zones, assuming you have defined and are enforcing a ruleset which controls the communication paths. A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone. Anything designated in the PCI zone, for example, should be isolated from the rest of the network as much as possible – without impacting the overall business.

Here are a few, but not an exhaustive list of tips to consider:

Implement controls at multiple layers within the network architecture. The more layers you can add at each level (e.g. data, application, etc.), the harder it is for a cybercriminal to gain unauthorized access to sensitive information. Of course this has to be manageable from an operations standpoint and it can’t be to the point where business processes come to a grinding halt.

Apply the rule of least privileged. For example, a third party vendor may need access to your network, but they most likely don’t need access to certain information. Access should only be provided to the user or system that is absolutely needed and nothing else.

Segment information access based on your security requirements. Define your different zones based on where your sensitive information resides. For example, you want to make sure that sensitive information isn’t easily accessible by a third party that has no need for this access. Take a step back when looking at your network architecture and determine if there’s unnecessary access or too restrictive access in different places. You may be surprised by what you see.

Leverage a whitelist or hybrid approach. Instead of trying to block all of the bad things out there, which puts you into a never-ending game of cat and mouse, define what you know to be acceptable communication paths and block everything else.

A common challenge is that building a large matrix with many semi-segregated zones, setting a policy for allowed traffic between zones, and enforcing it is not trivial. If you can get to this point, most likely it requires all or mostly manual processes and a ton of effort – especially with the typical amount of security changes that must be processed on a regular basis.

Security changes can impact a defined policy over time as an unintended consequence and automating the security change process around network segmentation policies can ensure these policies are continuously enforced and validated every time a change request is made.

A Glimpse into the Future

The concept of software-defined networking (SDN) holds exciting promise when it comes to segmentation. With networking slowly but surely moving away from “hard-coded” boxes with blinking lights to software stacks, the concept of “micro-segmentation”, where traffic between any two endpoints can be analyzed and filtered based on a set policy, is becoming a reality.

Micro-segmentation opens a world of possibility for security folks, but also a potential can of worms when it comes to managing it.

Present or future, as some of the latest breaches have shown, improper network segmentation can significantly increase your exposure of data theft or system outages. Flat networks are simple and require little management overhead, but offer protection to match.

Related Reading: Using Network Segmentation to Protect the Modern Enterprise Network

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...