Recent headlines around data breaches have highlighted a common security mishap – improper network segmentation.
Let’s face it, there is no such thing as being 100% secure. If an attacker really wants to get into your network, they will find a way. So you don’t want a single point of failure. Once unauthorized access is gained, network segmentation or “zoning” can provide effective controls to mitigate the next step of a network intrusion and to limit further movement across the network or propagation of a threat.
By properly segregating the network, you are essentially minimizing the level of access to sensitive information for those applications, servers, and people who don’t need it, while enabling access for those that do. Meanwhile you’re making it much more difficult for a cyber-attacker to locate and gain access to your organization’s most sensitive information.
Regulatory Guidance and Best Practices
Standards such as PCI-DSS provide guidance on creating clear separation of data within the network – in the case of PCI, cardholder data should be isolated from the rest of the network, which contains less sensitive information. An example would be to ensure that Point-of-Sale (PoS) systems and databases are completely separated from areas of the network where third parties have access. In this example a PCI Zone would be created with stringent constraints allowing connectivity for as few servers and applications as possible.
Routes to Achieve Proper Segmentation
Firewall and VLANs provide a route to partition the network into smaller zones, assuming you have defined and are enforcing a ruleset which controls the communication paths. A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone. Anything designated in the PCI zone, for example, should be isolated from the rest of the network as much as possible – without impacting the overall business.
Here are a few, but not an exhaustive list of tips to consider:
• Implement controls at multiple layers within the network architecture. The more layers you can add at each level (e.g. data, application, etc.), the harder it is for a cybercriminal to gain unauthorized access to sensitive information. Of course this has to be manageable from an operations standpoint and it can’t be to the point where business processes come to a grinding halt.
• Apply the rule of least privileged. For example, a third party vendor may need access to your network, but they most likely don’t need access to certain information. Access should only be provided to the user or system that is absolutely needed and nothing else.
• Segment information access based on your security requirements. Define your different zones based on where your sensitive information resides. For example, you want to make sure that sensitive information isn’t easily accessible by a third party that has no need for this access. Take a step back when looking at your network architecture and determine if there’s unnecessary access or too restrictive access in different places. You may be surprised by what you see.
• Leverage a whitelist or hybrid approach. Instead of trying to block all of the bad things out there, which puts you into a never-ending game of cat and mouse, define what you know to be acceptable communication paths and block everything else.
A common challenge is that building a large matrix with many semi-segregated zones, setting a policy for allowed traffic between zones, and enforcing it is not trivial. If you can get to this point, most likely it requires all or mostly manual processes and a ton of effort – especially with the typical amount of security changes that must be processed on a regular basis.
Security changes can impact a defined policy over time as an unintended consequence and automating the security change process around network segmentation policies can ensure these policies are continuously enforced and validated every time a change request is made.
A Glimpse into the Future
The concept of software-defined networking (SDN) holds exciting promise when it comes to segmentation. With networking slowly but surely moving away from “hard-coded” boxes with blinking lights to software stacks, the concept of “micro-segmentation”, where traffic between any two endpoints can be analyzed and filtered based on a set policy, is becoming a reality.
Micro-segmentation opens a world of possibility for security folks, but also a potential can of worms when it comes to managing it.
Present or future, as some of the latest breaches have shown, improper network segmentation can significantly increase your exposure of data theft or system outages. Flat networks are simple and require little management overhead, but offer protection to match.
Related Reading: Using Network Segmentation to Protect the Modern Enterprise Network