Last updated February 15th, 2023 by Dan Rheault
Organizations often undertake network segmentation to increase the efficiency of the network and ensure that network performance is optimal, but it also offers significant security benefits. In addition to increasing the speed of your networks, you can also take advantage of network segments by restricting connectivity between them using access controls. As cyberattacks become more sophisticated, network segmentation limits the impact of attacks by making it more difficult to traverse your network. A segmented network also results in improved manageability of your network connectivity, which can be utilized to control vulnerable services or logically isolate malicious IPs during incident response.
Network segments consist of IP ranges, subnets, or Security Groups, and are often referred to as zones. Through effective network segmentation, zones are created by locations, business units, or operational sensitivity, and permissible services between zones are configured through access controls. If you want to adopt a blacklist approach, you can block specific risky or vulnerable services. However, network segmentation access controls consist of policies that both block and allow communication. These access control lists can be used to establish your network security policy.
Organizations that start with a flat network soon find network segmentation is necessary to establish boundaries and reduce the likelihood of unauthorized access to sensitive data. By analogy, consider your living space – I bet your exterior doors are much more durable than the interior doors between rooms, and I’d wager you probably have two locks on doors that open to the outside. In the same way that we focus on securing the exterior of the house to prevent intruders, often in network security we focus on the perimeter. In this case, if we leave the front door open by mistake, or perhaps we’re duped into letting a nefarious, smooth-talking person in, we have no internal barriers preventing an unauthorized individual from going room to room. It would make much more sense if we limited access to specific rooms to only those that would use it and keep some doors locked with access only made available to those who need it. For example, we might keep the kids out of the fine china sets (that we’ll never use), and we can keep the dog out of the bedroom, but make sure he has access to the outside.
In network security, the creation and logical isolation of zones through access controls to permit the least amount of access is one method to convert a flat network into a varied and uncertain landscape for attackers. Multiple zones require more pivots across each zone until protected data is potentially compromised – in a flat network a single exploited point can offer direct access to sensitive data. Network segmentation can also enable effective security incident response by providing clear control over necessary policy modifications to block an attack or isolate a malicious IP. Consider the example of WannaCry – once the vulnerable service and ports were shared (or identified internally through anomalous rule hits) access between affected zones can be blocked to isolate the attack to the already compromised network zone(s). If you’re a Tufin customer, you already know how simple this is.
Security teams are responsible for measuring risk and maintaining compliance with the security policy of the organization. If they do not already have a documented security policy, they can base the policy on the technical guidance of a regulatory framework (such as NIST, for example). The technical requirements can help determine which are riskier services and which should be permissible services between zones. Moreover, in the event of a breach, network segmentation provides demonstrable evidence that the appropriate network security controls were in place in order to minimize regulatory penalties.
Designating zones containing sensitive data that by default only allow secured services to access ensures that agility requirements of the business are met while minimizing risk. Furthermore, additional request for access to these zones that may pose a degree of risk can be effectively reviewed by security and tracked. Establishing a zone for sensitive data will be handy for deploying future applications that require access to sensitive data. For organizations that can’t invest a lot in security, reusing zones is an ideal way to ensure security and manageability. For those that can invest more, microsegmentation is the best solution.
The above assertion to reuse a zone for secure application deployments may strike you as odd. Why not simply have a unique zone for each application, and each access user base – wouldn’t that be more secure? That granular degree of zone creation and access control certainly supports a realization of zero trust security through microsegmentation, however that much detail creates complexity. The complexity impacts ongoing management of the network and can even increase the overall level of risk if not managed effectively. Difficulty in understanding which zone contains what, and which zones are in use will be incredibly difficult – if not impossible – without the prior investment in network security tools to maintain microsegmentation. With security teams already overwhelmed, it’s best to take network segmentation incrementally. As with all projects in security, network segmentation is a journey and not a destination.
It’s clear then that network segmentation has many benefits around security, compliance, and even manageability of the network. So where should you start? Even a basic segmentation of your network into 3-5 zones reduces the likelihood of an attack successfully traversing your network, prevents unauthorized access to sensitive data through a higher degree of access controls, and provides new methods for isolating attacks. Once you have completed the first phase of segmentation you can further segment your network to create more logical isolations between more zones and create a network landscape even the most sophisticated hacker would be displeased to find.
If you’re ready to get started with network segmentation and want to develop a plan, check out the “Actionable Plan for Segmenting Your Network” webinar to get ready.