As businesses and organizations scale and grow, their network infrastructure can also grow increasingly large and complex. Using a flat network structure (all devices connected on one server) makes it easier for cybercriminals to roam freely and unimpeded in the system in the event of a successful cyber attack. Implementing network segmentation best practices can limit the scope of an attack, prevent malware from spreading, and disrupt lateral movements across your IT ecosystem.
However, a network segmentation strategy can be expensive and hard to implement if the proper steps aren’t taken, and there isn’t clear communication from the management team. This article discusses the best cybersecurity practices to transition to a fully segmented network so your organization can improve its security posture.
What is Network Segmentation?
Network segmentation is a network security practice and defense-in-depth strategy of dividing the main network into multiple, smaller subnetworks to better protect sensitive data and limit lateral movement to the rest of the network. Each individual subnetwork or “zone” represents an additional layer of security that has its own access point, login credentials, and firewall protection. Although flat networks have faster connectivity and fewer restrictions, they are far less secure than segmented networks.
There are three main ways to segment a network, although most segmentation policies typically use a combination of all three: VLAN segmentation, firewall segmentation, and SDN segmentation.
1. VLAN (Virtual Local Area Networks) Segmentation
Most segmented networks use VLANs to create smaller groups of subnetworks or subnets that are connected virtually in the same broadcast domain. LANs share the same physical network in the same location, but VLANs allow multiple networks to operate together under one group. Only users within the same VLAN can communicate with each other.
Every subnet uses a different IP address than other subnets, which are connected by network devices. In order for users on different VLANs to communicate, they must route their data through a layer-3 device (usually a router or a switch).
2. Firewall Segmentation
Organizations can set up firewalls between each application layer to protect each internal zone of a network. In order to move from one functional area of a network to another, all parties must pass through a firewall first. Firewalls can block certain types of traffic based on the access controls set by the organization.
However, using only a firewall segmentation policy can have many drawbacks due to the complexity of the rules needed to segment internal networks properly. Any misconfiguration can break an application entirely, which could potentially cripple a business. It’s also costly to implement as the sole segmentation process.
3. SDN (Software-Defined Networking) Segmentation
SDN segmentation is a form of micro-segmentation that uses software such as an API (application programming interface) to manage a network instead of traditional hardware devices. SDNs allow network administrators to configure the network in one centralized controller location, which they can ultimately automate to monitor traffic flow.
Because administrators can develop new APIs to manage data traffic, they can create policies to funnel the data through a set of firewalls. Theoretically, this can be an extremely secure method to segment a network. However, SDN segmentation and automation is often seen as the most challenging method to implement, as many applications usually do not fit within its set of rules.
Benefits of Network Segmentation
By implementing a network segmentation policy, an organization can:
- Control the spread of a cyber attack and limit the damage caused
- Better access control for both internal and external network security
- Improve the flow of traffic between networks
- Easier network traffic monitoring and threat detection
- Better protect sensitive data and endpoint devices
- Secure cloud-based servers
Network Segmentation vs. Micro-Segmentation
Both network segmentation and micro-segmentation policies should be implemented when it comes to network security. While network segmentation focuses on limiting north-south traffic between different networks or VLANs, micro-segmentation provides east-west protection within a network. This means restricting access to all devices, servers, and applications that communicate with each other.
Network segmentation can be seen as an over-arching security policy for the entire infrastructure, while micro-segmentation is a more detailed, granular approach for intra-network traffic. Even if a threat actor can hack into a network, a micro-segmented computer network will prevent them from moving freely within that system.
Top 8 Best Network Segmentation Practices
Implementing network segmentation can be a costly and time-consuming practice. If done incorrectly, it can require a significant investment to fix and rebuild the entire network architecture, which can cause entire organizations to collapse or lead to more security risks. Here are the best practices for network segmentation so you can protect your organization against any malware attack:
1. Continually Monitor & Audit Networks
All segmentation processes should involve constant monitoring of network traffic and network performance to ensure that there are no gaps or vulnerabilities in the network infrastructure. Regular network risk assessments and penetration tests are essential to identify security issues that require immediate attention.
Annual network audits are also important because it allows organizations to reevaluate the effectiveness of their current security policies. New users, processes, or business needs may have evolved during the year, which requires updates to the network segmentation plan.
Learn more about attack surface monitoring.
2. Avoid Over or Under-Segmentation
When organizations implement network segmentation, a common mistake is over-segmenting into too many networks or under-segmenting into too few networks. Large enterprise networks often assume that segmenting as much as possible creates the highest level of security. There must be a balance between having enough resources to control and monitor multiple networks without impacting employee productivity.
Over-segmentation can cause employees to jump through multiple access points to gain access to data, creating workflow inefficiencies and restricting traffic flow. It can also create more vulnerabilities if each network system is not properly managed. Any security updates would take much longer to implement through each individual network, which can also increase the risk of making mistakes.
Under-segmenting a network can also prove ineffective if there is not enough separation between each system. Dividing one network into just two or three would not provide the level of security needed for proper network segmentation. Ideally, there are enough networks to limit the attack surface as much as possible.
3. Limit Third-Party Access Points
In addition to securing its own access points, every organization needs to restrict and manage its third-party risk. Not all third-party vendors or providers need full access to the company servers to continue operating at full capacity. Organizations should only allow the minimum level of access for vendors to fulfill their functions to prevent the impact of a potential data breach.
Even a secure network can be infiltrated by a compromised third party. One way to isolate third-party access is to create unique portals with customized access controls for each vendor. In addition, regular checkups for third-party risk can also help prevent future data leaks.
Learn more about vendor risk management.
4. Identify & Label Asset Values
Before beginning any network segmentation processes, organizations should take stock of their assets and assign values to them. Each asset, which can include everything from IoT (internet of things) devices to databases, should be organized by their importance level and data sensitivity.
Separating items of lower and higher value while maintaining a comprehensive list of company assets allows for an easier transition and implementation of a network segmentation strategy.
5. Combine Similar Network Resources
Once the inventory of assets has been documented, the next step is to start grouping together similar network resources. Items of lower security should be put in the same network, while other assets of higher security should be put into another. Organizations can place increased security protocols on networks with more critical data to protect as the network architecture begins to form.
This practice can make it easier to create and update security policies for each network and identify which networks have prioritization over others. It also makes network monitoring and filtering much more accessible.
6. Implement Endpoint Security & Protection
Cyber attacks often target endpoint devices because they are often unsecured and lack proper protection. A single hacked device can create an entry point for hackers to enter the entire main network. Implementing technology like endpoint detection and response (EDR) allows organizations to provide an extra layer of security by proactively monitoring IOAs (indicators of attacks) and IOCs (indicators of compromise).
7. Follow the Principle of Least Privilege
Once network segmentation has been implemented, each network should follow the zero-trust model and principle of least privilege. These practices involve denying network access at every level, which requires all parties within the network perimeter, both internal and external, to provide authentication and verification before gaining access to other parts of the network.
With zero-trust architecture (ZTA), network administrators can quickly identify any bad actors or unauthorized parties attempting to infiltrate the systems. Only authorized users with the correct permissions can access the data within that particular network.
Learn more about the principle of least privilege.
8. Create Easier Legitimate Data Paths
When segmenting a network, it’s important to consider the data path of an authorized user compared to the firewalls protecting the data. A legitimate user or third party shouldn’t have to pass through more access points than it takes firewalls for bad actors to break through. Make sure that your network architecture has more protections against cyber threats than firewalls between your vendors and the data they need to access.