Traditional and typical cyber security techniques usually fail to meet the security requirements of today’s corporate industries and businesses. As the digital world has revolutionized, so are cyber security threats and risks. It has become more difficult to rely on a single security solution or a single line of defence.
Multi-layered defence or defence in depth is the new norm, where multiple layers of defence mechanisms are implemented so that there is no single point of failure in case of an incident. If one security mechanism at one layer fails to act, other layers step up to limit the attack movement, reduce the impact or prevent the threat altogether (based on threats).
This multi-layered approach with intentional redundancies increases the security of a system and helps defend against many attack vectors.
The DiD (Defence-in-Depth) approach is also called the ‘Castle Approach’ as it imitates a castle’s defensive layout; before attacking a castle, you have to cross the moat and get past the drawbridge and then reach the castle itself.
In this article, we’ll discuss one of the DiD techniques, namely Network Segmentation. We’ll look at what it is, why we do it, why it is important, what security considerations to keep in mind while segmenting a network and how to segment it.
A common example would be how a submarine is compartmentalised against certain risks. In case of a breach, it is contained to individual components affected due to that problem and the entire submarine is not at risk. Thanks to the segmentation concept here.
The diagram above shows how a yellow submarine with segmentation is capable of containing a breach in comparison with the right-hand side white submarine that is without compartments (flawed design). Hopefully, at this point, you understand the basic concept and the article ahead is how network segmentation helps in different areas of IT architecture.
What is network segmentation, and why is it important?
Simply put, network segmentation is defined as physically or logically dividing a large network into several smaller networks. The devices on the two smaller networks can communicate via an external demarcation point, usually a router or a firewall.
Network segmentation is a Defence-in-Depth approach to reduce the risk of data breaches and offers protection from malware spreading across the entire network. In a properly segmented network, the end devices forming a smaller network only have the connectivity required for legitimate business reasons, limiting malware from spreading and an attacker from pivoting from one system to another.
Importance of Network Segmentation
If network segmentation is properly done and all ACLs are properly defined and implemented, network segmentation best practices can be extremely fruitful. Some key points on the importance of network segmentation are mentioned below:
While an organization’s implemented security solutions and firewalls may protect the network from initial access and compromise, they fail to limit and contain the attack within the point of compromise. Network segmentation offers a better defence by adding boundaries within the organisation’s network, allowing the blue team to promptly and effectively respond to a threat or incident.
An organisation with network segmentation has better visibility of the traffic flow within the network and the segmented sub-networks, thus giving an overall insight into the internal network traffic.
Enhanced access control
Network segmentation with proper ACLs implemented can limit the users from accessing parts of the network that they have no use for, thus protecting the critical systems or parts of the network from unnecessary access.
Enhanced network security
Once an attacker gets a foothold in the internal network, their next steps are to pivot from one system to another and move laterally in the entire network. Network segmentation helps in limiting pivoting and lateral movements and offers better chances of incident or threat detection as attackers try to access other parts of the network.
Improves network performance
Network segmentation helps in improving the network performance, as it reduces congestion of traffic in the organisation.
Protect critical systems and sensitive data
An organisation survives with the good health of its critical systems. If an attacker gets a foothold on one of these crown jewels, it is almost game over for the organisation. Network segmentation helps organisations to protect their critical enterprise systems by placing those systems in isolated and separate networks, minimising their threat exposure.
Why do we need network segmentation?
From a cyber security perspective, most networks tend to be hard to penetrate from the outside. Still, once an attacker is inside the local area networks, it is fairly easy for them to move across the network and pivot from system to system.
Many organisations have a mature firewall perimeter and Intrusion Detection (IDS) and Prevention Systems (IPS) that constantly monitor traffic coming in and send alerts or respond when they detect some malicious traffic coming in from the internet. These computer network monitoring and protection tools are mainly externally focused, leaving the internal network ‘soft’ on the inside.
When making an organisation cyber resilient, one must take upon the ‘Assumed Breach’ approach and then implement security techniques and solutions to contain and limit the attack.
Network segmentation makes it more difficult for an attacker to launch an attack against the entire network and compromise every host on the network. It also protects your crucial and sensitive data and systems from getting breached by isolating them.
What are the 3 main purposes of network segmentation?
1. Performance: Network segmentation offers to improve network performance, as lesser hosts on each sub-network mean lesser traffic and hence no network congestion.
2. Security: Network segmentation protects the segmented network from unauthorised and unintended access to different parts of the internal network. It limits lateral movement and pivoting and also contains the spreading of malware.
3. Reliability: Network segmentation makes the network more reliable as there is no single point of failure. If one part of the network fails, the other sub-networks provide backup and keep the network up and running.
How do you segment a network?
Network segmentation is a process that can be tedious, tiring, frustrating and requires a lot of effort at the same time. Therefore, we divide the entire process of network segmentation into three phases; i.e.
The planning phase
Before segmenting a network, it is imperative to know the current stage of the network, the available capabilities, and the desired stage. Network engineers can use the network map and understand the current status and the required network design while taking notes of all the available devices and tools.
The preparation phase
Once all the planning has been done, it’s time to move towards preparing for the segmentation. This phase may include setting up the project team, subject matter experts, making the resources available, keeping a backup of the resources available just in case any network resources fail. It is also important to ensure that the proposed network segmentation plan aligns with the organisation’s strategic and risk management goals.
The execution phase
In this phase, the project team established in the previous phase actually begins to segment the network.
What is network segmentation security?
Segmenting a network alone is not enough; one has to keep in mind the security aspects. For example, a network has been divided into two parts for two different departments in an organisation, and there are no rules applied to control the access of resources to and from both the departments and no firewall rules to control traffic in and out of both the parts; then the main objective of applying network segmentation fails.
Network segmentation, when implemented properly, is a very effective and efficient tool for network security analysts to prevent unauthorised users, threat actors or curious insiders from accessing critical and valuable network resources and organisational data.
The following section discusses some tips and tricks and best practices to follow when doing network segmentation.
Network segmentation – best practices to follow
Read top tips on network segmentation that are focussed on network concepts involving security concepts. Ultimately, a successful cyber security strategy includes a balance of usability and security elements.
1. Don’t under-segment or over-segment
Segmentation can be tricky. A good segmentation network plan has the documentation precisely for what part of the network needs to be segmented and which does not. Too many sub-networks may affect usability and create complications for the users; too few may leave the organisational network at risk and prone to threats.
2. Map data flows across the network
Map all the data flowing within the network segment, so you may have an idea of how to segment your network and what access control policies to define when segmenting the network.
3. Know who is connecting to your network and what data they need access to
You can not segment your network correctly if you do not know who is connecting to your network and what data they need to do their jobs. Know all the users connecting to your network segment and the data they need access to before starting segmentation.
4. Isolate access-portals for third-parties
In larger organisations where security is the top-of-the-list priority, breaches usually happen due to an insecure third party. Therefore, it is necessary to isolate all the third-party access portals and keep them at a distance.
5. Combine similar network resources and define asset groups
Combine network resources with a similar purpose or offer the same data, for example combining all the printers. This tactic allows you to enact security policies quickly and protect the extra-sensitive data more efficiently.
6. Create access control policies
Access control policies should be created and implemented keeping the Principle of Least Privileges in mind. Users should be given access to the network resources and data required to do their day-to-day jobs.
Network traffic within a segment should flow flawlessly, but the traffic between different segments should be monitored and comply with the access control policies.
7. Audit your network regularly
Perform security review of your network and segmentation configurations by auditing the network regularly. Conduct penetration testing assessments, configuration reviews etc., to make sure nothing is out of place, network segmentation is properly done, and all the ACLs are implemented correctly.
Segmentation practices are a very vital component of adding an access control layer that’s easy to achieve and provides long term benefits. In fact, it’s one of the best ROI’s in terms of technical controls within an environment. In the security assessment world, segmentation penetration testing is used in various scenarios, mainly:
With our experience of designing labs at Black Hat to performing assessments at banks and other sensitive data environments, we won’t let you down. Get in touch to discuss your security concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.