(Share from https://au.pcmag.com/feature/60541/beef-up-security-and-performance-with-network-segmentation; Author: )
Network segmentation is all about dividing your existing network into smaller pieces as this can have significant security and performance benefits. Here’s how to implement it in five basic steps.
By now you’ve probably seen references to network segmentation in places ranging from this column to features on network security and discussions of best practices in network monitoring. But for many IT professionals, network segmentation is one of those things you always plan to get around to, sometime soon, but something always gets in the way. Like doing your taxes in February: you know you should but you need an extra kick of motivation. That’s what I’m hoping to do with this 5-step explainer.
First, we need to be on the same page; let’s start with what it is: Network segmentation is the practice of dividing your existing network into smaller pieces or, if you’re lucky enough to starting a network build from scratch, designing it in pieces at the outset. But it doesn’t mean just randomly splitting up the network into parts. Instead, you need to have a plan so that the segmentation makes sense.
There are several reasons for network segmentation; the most important reason is security. If your network is divided into several smaller networks, each with its own router or Layer 3 switch, then you can restrict entry to certain parts of the network. This way, access is only granted to endpoints that need it. This prevents unauthorized access to parts of the network you don’t want accessed, and it also limits some hacker who might have penetrated one segment from having access to everything.
That’s what happened with the Target breach in 2013. Attackers using credentials from the Heating, Ventilation, and Air Conditioning (HVAC) contractor had access to the point-of-sale (POS) terminals, the credit card database, and everything else on the network. Clearly, there was no reason for an HVAC contractor to have access to anything but the HVAC controllers, but they did because Target didn’t have a segmented network.
But if you, unlike Target, take the time to segment your network, then those intruders will able to see your heating and air conditioning controllers but nothing else. Many breaches could wind up being a non-event. Likewise, the warehouse staff won’t have access to the accounting database nor will they have access to the HVAC controllers, but the accounting staff will have access to their database. Meanwhile, employees will have access to the email server, but devices on the network won’t.
Decide on the Functions You Want
All of this means that you have to decide on the functions that need to communicate on your network, and you need to decide what sort of segmentation you want. “Deciding functions” means you need to see who on your staff has to have access to specific computing resources and who doesn’t. This can be a pain to map out, but when it’s done, you’ll be able to assign functions by job title or work assignment, which can bring additional benefits in the future.
As to type of segmentation, you can use physical segmentation or logical segmentation. Physical segmentation means that all of the network assets in one physical area would be behind a firewall that defines what traffic can come in and what traffic can go out. So, if the 10th floor has its own router, then you can physically segment everyone there.
Logical segmentation would use virtual LANs (VLANs) or network addressing to accomplish the segmentation. Logical segmentation can be based on VLANs or specific subnets to define networking relationships or you may use both. For example, you may want your Internet of Things (IoT) devices on specific subnets so, while your main data network is one one set of subnets, your HVAC controllers and even your printers can occupy others. The chore there is that you’ll need to define access to the printers so that people who need to print will have access.
More dynamic environments can mean even more complex traffic assignment processes that might have to use scheduling or orchestration software, but those problems tend to crop up only in larger networks.
Different Functions, Explained
This part is about mapping work functions to your network segments. For example, a typical business might have accounting, human resources (HR), production, warehousing, management, and a smattering of connected devices on the network, like printers or, these days, coffee makers. Each of these functions will have their own network segment, and the endpoints on those segments will be able to reach data and other assets in their functional area. But they may also need access to other areas, such as email or the internet, and perhaps a general personnel area for things such as announcements and blank forms.
The next step is to see which functions must be prevented from reaching those areas. A good example might be your IoT devices which only need to talk to their respective servers or controllers, but they don’t need email, internet browsing, or personnel data. The warehouse staff will need inventory access, but they probably shouldn’t have access to accounting, for example. You will have to start your segmentation by first defining these relationships.
The 5 Basic Steps to Network Segmentation
- Assign each asset on your network to a specific group so that the accounting staff would be in a group, the warehouse staff in another group, and the managers in yet another group.
- Decide how you want to handle your segmentation. Physical segmentation is easy if your environment allows it, but it’s limiting. Logical segmentation probably makes more sense for most organizations, but you have to know more about networking.
- Determine which assets need to communicate with which other assets, and then set up your firewalls or your network devices to allow this and to deny access to everything else.
- Remember that access to network segments should be transparent for authorized users and that there should be no visibility into the segments for unauthorized users. You can test this by trying.
It’s worth noting that network segmentation isn’t really a Do-It-Yourself (DIY) project except for the smallest offices. But some reading will get you prepared to ask the right questions. The United States Cyber Emergency Readiness Team or US-CERT (part of the US Department of Homeland Security) is a good place to start, although their guidance is aimed at IoT and process control. Cisco has a detailed paper on segmentation for data protection that’s not vendor-specific.
There are some vendors which provide useful information; however, we haven’t tested their products so we can’t tell you whether those will be useful. This information includes how-to tips from Sage Data Security, a best practices video from AlgoSec, and a dynamic segmentation discussion from network scheduling software provider HashiCorp. Finally, if you’re the adventurous type, security consultancy Bishop Fox offers a network segmentation DIY guide.
As far as the other benefits of segmentation beyond security, a segmented network may have performance benefits because network traffic on a segment may not have to compete with other traffic. This means the engineering staff won’t find its drawings being delayed by backups and the development folks may be able to do their testing without worrying about performance impacts from other network traffic. But before you can do anything, you need to have a plan.