Delivering the Open Network Advantage

Network Segmentation »

Network Segmentation for Enterprise Network Security

Cyber-criminal access to your company’s sensitive data is a significant CEO concern. Security breaches like those at Target, Home Depot and Community Health Systems are in the headlines daily and demonstrate that traditional methods of preventing unauthorized access are insufficient in today’s environment. Requirements for cloud applications and services, workforce mobility and dynamic user access through personal devices is driving the need for network segmentation or “zoning.” As the perimeter of a corporate network becomes more difficult to define and protect, threat mitigation and intruder isolation must be a critical component of a comprehensive network security strategy.

Why Segment Your Network?

Network segmentation improves security by making it far more difficult for a network intruder to reach high value data assets such as credit card information or health records. When implemented properly, intruders are identified during propagation or lateral movement through the network, alerts are triggered, an audit trail identifies the compromised access point and path, and the segment is isolated from the rest of the network. Segmentation helps to prevent unauthorized access to sensitive information and minimizes breach impact. Zero trust boundaries can protect critical data, resources or intellectual property. Segmentation can even improve performance by reducing local traffic and is becoming more powerful with the evolution of Software Defined Networking (SDN).

How to Get Started

Topology-aware network segmentation requires an initial and ongoing effort to understand the instances of communication between network devices and users that are necessary to support efficient business operations. Segments are defined by business need, either by department or function. Communication between devices is managed through a strict ruleset. Before implementing, study the paths of revenue and information throughout your network, including all access points and back-end management, users, applications and devices. Segmentation can create demilitarized zones (DMZ) and gateways between subnetworks based on security domains using multiple methods that include network and host firewalls, separate physical links and systems, traffic flow and content filters, Network Access Control, and user or service authentication and authorization.

Segmentation Design Basics

Network Segmentation design should be thoroughly based on the principles of need-to-know and least privilege. Access should be defined by whitelisting instead of blacklisting. Segmentation should be considered every network layer, from application to data link layer. Segmentation design should separate information and infrastructure. Security requirements need to be defined for each user and device for all type of business-justified communications. Issue separate security credentials for users or services, and use multi-factor authentication for sensitive users and services. Filtering should include logical access restrictions (network layer, state-based, and port or protocol), authentication and application layer communications. Implicit trust relationships should be minimized and each side of trust should authenticate the other. Logging, auditing and alerts should be automated when possible to immediately isolate intrusions and prevent future breaches.

Typical Segment Scenarios

Many segmentation efforts begin by segregating departments such as Finance, Human Resources, Network Administration and Executive Management as separate sub-networks. Related devices such as routers and switches can be segregated, as well as VPNs and VoIP. Government networks may require physically separate segments while enterprises utilizing virtualization define multiple zones on a single device. Third party access should require different administration passwords to reduce threats via compromised partner networks. Sensitive data may require policy-compliant protection such as PCI-DSS for credit card data or HIPAA for patient data. Critical resources suggest separate zones with separate security access rules. In all cases, the guiding principle of “never trust and always verify” requires that traffic between segments should be blocked if there is no business need.

Network Segmentation into the Future

The ability to prevent the PR damage and customer goodwill lost from a single massive data breach more than justifies the effort required to understand your network design and business needs. Technology providers including Juniper, Fortinet, Microsoft, VMWare, Pluribus, and Palo Alto Networks are paving the way. Even virtualized data centers with cloud infrastructure can even benefit from micro-segmentation, the ability to control and filter traffic between any two endpoints. But once implemented, network segmentation must be maintained on an ongoing basis, not just revisited at times of audit or breach. The protective effects of network segmentation on enterprise reputation is a strategic corporate asset that will be increasingly be recognized by security-aware executive management, shareholders and customers.