Sage Advice - Cybersecurity Blog

Network Segmentation: How-To Tips

network-segmentation-how-to.jpgAs discussed in recent posts, a great way to bolster your cybersecurity defenses is to segment your network environment. Network segmentation can really slow a hacker down – or even deter them from perpetrating an attack at all. However, as with any security control, it’s important to balance business goals with security. Make sure that if you take on this project it isn’t going to disrupt or inhibit getting business done.

Segmenting your network is no small task. In a traditional flat network there are no barriers preventing end-points and servers from communicating with each other freely on the internal network. And maintenance required at the network layer is limited. Segmenting your network requires a great deal of planning, as well as ongoing maintenance. Similar to your perimeter infrastructure, it will require firewall rule sets, routing and switching configurations, etc.

Tips for Each Phase of Segmenting your Network

#1 Network Segmentation Design

Giving your team enough time to design and do the proper planning is essential for success.

  1. Inventory systems. Classify and identify sensitive data and where it lives. This is one of the core concepts of security that matters the most. What do I have? And who has access to it?

  2. Identify and group similar systems and data classifications.

  3. Identify who needs to use the data. This type of refinement will help you take rule-based access to a whole new level because you’ll be forced into granting access to all these systems to only those who need it.

  4. Design segmented network. Now it’s time to design your segments. What are you going to put together? Why? And who needs access? Get some examples of segment design in our blog post here.

  5. Capital expenses. It could be firewalls, software, or just configuration time for VLANs. You’ll also need to consider the impact on IDS/IPS sensors, which in a flat network are able to monitor traffic across the entire LAN, but when the network is segmented, those sensors need routes and rules to monitor segments.

#2 Network Segmentation Implementation

  1. Start with the easiest segments. Examples of these are Guest, Test, and Development.

  2. Restrict both inbound and outbound traffic. Implement granular control according to the principle of least access required to complete business tasks. The concept of least privilege is finely tunable when you have a segmented network. It could be logical or physical, or a combination. In the rule sets that you develop, limit source, destination, and service traffic from each other. For example, a population of specific application servers may be restricted to communicate across only certain segments, while another population, like Domain Controllers, may be allowed to communicate across all segments.

  3. Default deny rule. This is a founding principle in firewall configuration. Deny everything that hasn’t been explicitly allowed.

#3 Network Segmentation Maintenance

Mature change control is critical during network segmentation. If you do not have a good end-to-end process for change control, where approvals of the right people and review of your changes are necessary and well codified, it’s going to lead to trouble. You could end up undoing the security benefits of segmentation, or breaking things with a single poorly planned and executed change.

  1. Follow change control procedures when making changes to the access controls in place between network segments.

  2. Ensure that changes do not violate the segmentation strategy.

# 4 Network Segmentation Monitoring

With a segmented network, you’ll know more about internal traffic than ever before. Typically, time is spent looking for threats externally, but now you’ll be able to do the same thing internally. Insider threats continue to be a major cause of breaches and a malicious intruder mimicking a trusted insider is common, so it’s worth paying attention to.

  1. Configure your IDS / IPS to monitor internal network segments, as well as your external network.

  2. Review logs every day. Among the most reliable, accurate, and proactive tools in the security arsenal are the event and audit logs created by network devices. Analyze your logs for suspicious or unusual behavior. Download our Log Analysis Guide for more information.

If you're considering segmenting your network, you may be interested in reading our post, The Security Benefits of Network Segmentation.

Be confident you're detecting network threats with Tyler DetectWith Tyler Detect, your network is under surveillance 24 / 7 and our team of cybersecurity experts hunt down threats in the vast cyber universe every day. Incidents are found and confirmed for you – and you receive remediation recommendations within minutes of an attack.

Learn More

Topics: Cyber Defense


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More