How to Implement Network Segmentation for Better Security
Network segmentation is the practice of dividing a network into functional domains and limiting communications between those domains.
For example, a company might create separate segments for accounting, human resources, product development, manufacturing, customer service, marketing, sales, and building automation. No part of the network is exempt. Segmentation works for cloud computing, as well as SaaS applications.
Communication between segments is controlled at specific locations where security practices can ensure network security. Network security teams can use tools such as deep packet inspection with intrusion detection, intrusion protection, and firewalls.
What is microsegmentation?
Microsegmentation takes network segmentation to the next level by applying policies on a more granular basis, such as per application or per device. Microsegmentation can incorporate role-based access control based on a device’s role and access policies. An IoT device could not communicate with anything other than its application server, not even with another IoT device. An accounting data entry person would not be able to perform other accounting functions or access non-accounting systems.
In these examples, an endpoint can be an application server, a user with a computing resource, or a digital automaton that performs an action. An RFID reader that updates an inventory database at a loading dock is such a device. A chatbot is a digital entity that accesses customer order databases to respond to a customer’s query. No sample endpoint should be able to access systems other than those for which it was designed.
The Benefits of Network Segmentation
The main benefit of network segmentation is that it limits the damage caused by a cybersecurity attack. On the monitoring front, security systems can provide alerts when an unauthorized endpoint attempts to gain access to the system, identifying bad actors trying to spread laterally.
Segmentation can also reduce the scope of regulatory compliance, such as the Payment Card Industry Data Security Standard. Audits should only involve the part of the network that processes and stores payment card information. Of course, these audits must validate good segmentation practices.
Network segmentation best practices
So, what strategies can network teams follow when segmenting their networks?
Create security policies and identify resources
To implement network segmentation, network teams must begin by creating security policies for each type of data and assets they need to protect. Policies should identify each resource, the users and systems that access it, and the type of access that must be provided.
Use Allow Lists
Next, teams should implement permission list access controls. This practice greatly improves network security. Teams must identify application data streams for each application for this to work. Although this process can be labor intensive, it is well worth the time and effort compared to the cost of a cybersecurity event.
Technologies to implement network segmentation
Network segmentation can be based on physical separation, logical separation, or both, depending on the specific instance. Firewalls, Access Control Lists (ACLs), and Virtual Local Area Networks (VLANs) provide basic segmentation functionality.
The next step adds virtual routing and forwarding (VRF) to segment routing information. An advanced implementation would implement a complete multi-tenant system based on software-defined technologies that combine firewalls, ACLs, VLANs, and VRFs.
Software-defined access (SD access) identifies endpoints and assigns them to the appropriate network segments, regardless of where they physically connect to the network. SD-access tags packets to identify the segment they belong to. Tagging allows the network to effectively apply the appropriate policy to network streams.
Network teams should use physical separation, such as separate firewalls, when they need to reduce the complexity of firewall rules. Mixing firewall rules for a large number of applications into one firewall can become unmaintainable. Complex rulesets rarely have suppressed rules because the resulting action is difficult to determine. Using separate firewalls based on VM implementations can greatly simplify each set of rules, making it easier for teams to audit and remove old rules when requirements change.
Finally, teams can use automation to maintain network security. Many security audit steps can and should be automated to ensure they are applied consistently. Tools based on software-defined technology can help with automation.