Sage Advice - Cybersecurity Blog

Network Segmentation: Considerations for Design

network-segmentation-design.jpgNetwork segmentation is gaining popularity as a cybersecurity defense in response to the escalation of cyber-attacks. The process of splitting your network into different subnetworks can strengthen your security defenses and even boost performance. But it’s not a task to be taken lightly. Segmenting your network is a major project and an entirely different way of managing your network.

A great deal of time and planning should go into your segmented network design. Here are some network segments that you may want to consider as part of that design.

Segmented Network Design

  1. External Network. This is a pretty clear segmentation – what is outside is in the public Internet and what is inside is on the private Local Area Network (LAN).
  2. Demilitarized Zones (DMZs). A DMZ is a subnetwork that contains and exposes an organization’s externally facing services (i.e., email and/or web servers) to the Internet. It adds a level of security because it restricts access into the internal LAN from the public Internet.
  3. Guest / Wireless Network. It’s commonplace for all types of organizations to provide access to the Internet for their guests, but there is no reason for this traffic to have access to your internal systems.
  4. IT Management Network. Isolate administrative workstations that are used to manage the network from the workstations used for non-admin work (i.e., email, Internet, Office).
  5. Server Networks. Keep distinct functions (i.e., human resources, marketing, finance, etc.) that have no reason to talk to each other from a technology or a functional role standpoint separated from each other.
  6. VoIP Networks. Phone systems can be segmented off.
  7. Security Networks. It’s important to protect management devices (i.e., IDS/IPS consoles, syslog servers, backup servers, etc.) from compromise, so this is a great segment to create. A typical attack will compromise security tools, so that they no longer function as expected. Backup servers are especially important with the prevalence of ransomware.
  8. Physical Security Systems. Segmenting off systems that are monitoring (i.e., camera systems) or allowing access (i.e., ID card scanners) is important because if a hacker can get control, they can move freely throughout your facility.
  9. Industrial control systems. The Target breach was successful in large part because the refrigeration systems compromised by a phishing attack on the vendor who serviced those systems remotely weren’t segmented from the POS system or the rest of Target’s internal corporate network. Segmenting industrial and/or physical plant control systems from the rest of the network is critical.

Methods of Network Segmentation

There are two basic methods for segmenting your network, physical and virtual. Physical is the most secure method, but it is also the most difficult. In this method each segment must have its own Internet connection, physical wiring, and firewall.

Virtual segmentation is far more popular and easier to implement. In this method, firewalls are shared and switches manage the virtual local area network (VLAN) environment. You can also isolate hosts from each other in a VLAN (private VLAN) or have virtualization software designed networks (i.e., VMware).  It’s worth noting, however, that VLANs are no longer accepted as a compliant segmentation methodology by the PCI-DSS (Payment Card Industry Data Security Standard).

Moving to the “Cloud” is also a type of segmentation because you’re moving selected infrastructure outside your internal LAN, and giving someone else management responsibility over it. There is typically no communication between your internal LAN and that cloud environment except through authentication in a web application or some other management application, or via dedicated VPN or physical circuit with firewalls on each side of the connection. Obviously, this is very popular right now.

While using a third-party has a lot of great benefits, it does introduce new risk factors that come with ceding control over your data and possibly critical aspects of infrastructure. That’s why you should spend more time and energy monitoring these vendors and doing your due diligence. And for many regulated industries, even if you are using a third-party, your organization is still ultimately responsible for keeping your data secure. You can outsource functions, but never accountability or risk. (Check out Creating a Vendor Management Program to Mitigate Cybersecurity Risk to learn more about vendor management).

A Trust Relationship

Ultimately, a good way to think about your network is that it’s a trust relationship. If you have a flat network, you’re saying that all the machines can trust (and communicate) with each other. When segmenting your network, put careful consideration into which hosts require the ability to communicate. Segmenting doesn’t mean you can’t create routes between segments, but it does mean that planning and management efforts will be increased. If hosts don’t require the ability to communicate, then consider segmentation to protect sensitive data and functions, increase the performance of critical network services, and make it harder for attackers to navigate and achieve their goals.  

If you're considering segmenting your network, you may be interested in reading our post, The Security Benefits of Network Segmentation.

Be confident you're detecting network threats with nDiscovery Managed Threat Detection. With nDiscovery, your network is under surveillance 24 / 7 and our team of cybersecurity experts hunt down threats in the vast cyber universe every day. Incidents are found and confirmed for you – and you receive remediation recommendations within minutes of an attack.

Learn more about  nDiscovery »

Topics: Cyber Defense


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More