Network Segmentation: Security Best Practice Series – Part 2

SNWL-image-035

It is time to get some more valuable information into your hands. In Part 2 of our Security Best Practice series, we are discussing steps that you can take as a Network Administrator to help secure your network. Lets dive into Network Segmentation.

Taking the proper steps to segment your business network(s) is one of the easier and less expensive steps that you as a Network Administrator can take to increase the security of your network. These days most people are asking you to spend, spend, spend to attain a valuable security benefit, but not with this one. Depending on the size of your network, you most likely have everything that you need to be able to segment your network properly by utilizing your firewall and managed switch(es). By using just those two pieces of network hardware (which you probably already have) you can increase the security of your network; what is not to like about that!? Tell your boss that you are going to increase network security and then tell them you don’t need to spend any money to do it and see what their reaction is! WINNER!

What is the idea behind segmenting the network? To reduce the attack surface if an attack were to occur. We design networks and isolate devices to those networks based on items such as user roles/information level/access requirements/risk/Etc. Gone are the days when a network could be completely flat and every end-user PC, printer, server, coffee maker, etc. all live on the 192.168.1.0/24 network. What we want to do is isolate these devices into their proper security zones (networks) and then create access controls to ONLY allow the needed traffic to pass to and from each network. By doing this you help reduce the attack surface, or at least make it much more difficult for an intruder on the network to pivot around the network and access other devices.

In the image below, you will see a Generic Business Network that has been segmented using a firewall and managed switch (Layer 2). This network has been segmented into 4 Networks

  • End-Users
  • Printers
  • Server
  • Wireless

The small Firewalls ONLY depict that the network traffic is being routed back to the Firewall for inspection and to apply the proper Access Controls. This is a very general depiction of how to begin to segment a business network, but it is a very good starting point and reference for Administrators that are wanting to attempt to segment and secure their network for the first time.

Net Seg Graphic

By taking the time to properly segment your network you can obtain some key advantages –

  • Access Control is greatly improved
  • Network Performance will increase
  • Monitoring of the network will be more detailed
  • And last, but certainly not least…..IMPROVED SECURITY!!!

Please keep a couple of things in mind. The simple act of segmenting the network itself does NOT make your network more secure. You need to make sure that once you have defined the network segmentation and followed through with the configuration of those networks, that you implement the proper security/access controls between the defined network segments. Also, just because you segment the network and put in access controls doesn’t mean that your network will never be compromised. There is always a chance that a network breach will occur, but the proper network segmentation and access controls should greatly reduce the damage if implemented properly.

Get started planning your network segmentation this week. Carve out 30 minutes to an hour and draw out the current state of your network. If all your PCs, wireless devices, servers, printers, etc. are on the same network or divided amongst two networks, it’s not enough. Just last week it was announced that Brother Printers currently have an HTTP POST vulnerability that allows an attacker to essentially Denial of Service attack the devices if HTTP is open. Printers are notoriously left unsecured and on the same network as employee devices. These printers, if not secured properly, can then be used as pivot points into other areas of the network; isolate your printers. This is just one example of why it is so important to isolate and segment your devices into proper networks and then create secure access controls.

Let’s take another step towards increasing the security of our networks. As always, we at Cerdant are here to help!

HAPPY THANKSGIVING FROM THE CERDANT TEAM!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s