Network Segmentation and Segregation

The Recipe is simple. Setup a network. Add a bit of internet to the mix. To improve the taste, add firewalls, IDS, IPS, and some monitoring programs. It's time to divide the network so that it can be served as per the requirements of the guests. Segment one part while segregating the other. Viola… The dish is ready to be served.

Well, the dish cannot be served unless and until we learn the differences between network segmentation and segregation. I find them confusing and maybe you would do it. If you do, let’s finish this confusion once and for all through this blog post.

I would like to approach this through layman terms rather than confusing myself with all sorts of fancy terms and technologies. If you look at a hotel on a whole, it’s a big building. Now no one person would like to book the entire building completely. So in order to maximize the revenue, the hotel person segments or in a way divides this complete hotel into various smaller portions called rooms. These rooms are complete in themselves with amenities such a bed, almirah, etc. available for your disposal. Having said that, if you look at the rooms, they are kept separate from each other through walls, doors and also locks on those doors. Before we move further, it's time for the introduction of the terms - network segmentation and segregation.

Network segmentation involves partitioning a network into smaller networks; while network segregation involves developing and enforcing a ruleset for controlling the communications between specific hosts and services. Continuing with our example, when the hotel ( network) is divided into different rooms, it’s a way of segmenting the complete network into smaller networks. When the rooms are locked with door locks or access controlled to enforce a rule for walking into each other’s rooms, it will be segregation.

When implementing segmentation, the idea is to reduce complexity and congestion along with improving security. When a large complex network is broken down smaller networks, it will reduce complexity and congestion as the smaller network will have fewer devices and less amount of traffic flowing through them. Since the broadcast is limited within the segment, the traffic flow will be restricted while access privileges will work only within the segment, thereby resulting in increased security. It’s similar to the privileges you enjoy in your own room as compared to the hotel lobby.

“When implementing network segmentation and segregation, the aim is to restrict the level of access to sensitive information, hosts, and services while ensuring an organization can continue to operate effectively”

Importance of Segregation and Segmentation

Continuing with our example of a hotel, if one of the rooms catches fire, it can be controlled within through the walls built around that room. You can immediately segregate the room and implement measures to contain the damage within. Once an attacker compromises a network, its main aim to spread and engulf the complete network. In order to prevent this, the attacker should find it extremely difficult to send packets of compromised information from one workstation to another.

Implementing segmentation and segregation can help you keep tabs on the movement of the attacker. Through explicitly disallowing remote desktop connections or the use of common network administration tools from user workstations (as most users do not require such functionality), configuring servers to limit the sharing of files, and restricting servers’ ability to communicate via remote connections can go a long way in limiting the attack surface.

When a cyber-criminal gains unauthorized access to a network, segmentation or “zoning” can provide effective controls to limit further movement across the network. PCI-DSS (Payment Card Industry Data Security Standard), and similar standards provide guidance on creating a clear separation of data within the network, for example separating the network for Payment Card authorizations from those for Point-of-Service (till) or customer wi-fi traffic. A sound security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.

The Big Question - How?

As illustrated in the article by the Australian cybersecurity center, Implementing network segmentation and segregation can be achieved using a number of techniques and technologies, including:

Implementing demilitarised zones and gateways between networks with different security requirements (security domains) utilizing technologies at various layers such as:

  • routers or layer 3 switches to divide a large network into separate smaller networks to restrict traffic flow using measures such as access control lists
  • virtualized networking and routing protocols, including Virtual Local Area Networks and Virtual Routing and Forwarding to segment the network
  • virtual machines, containers, and virtual functions to isolate activities of different trust or threat levels (such as accessing the Internet or email or performing privileged administrative tasks)
  • virtual hosts, virtual switching, cloud tenancies and managed security groups to segregate and segment applications, data and other services
  • host-based security and firewall software to filter network traffic at the host level
  • network firewalls and security appliances between networks to filter network traffic
  • network access controls to control the devices which can access networks
  • application and service firewalls and proxies (or service brokers) to permit only authorized communications between applications and services in different networks
  • user and service authentication and authorization, including multi-factor authentication and policy-based access, controls to enforce least privilege
  • data diodes and one-way transfer devices to enforce the directionality of data flows between networks
  • content filtering techniques including recursive decomposition, validation, verification and sanitization to comprehensively assure network and application traffic flows.

Implementing server and domain isolation using Internet Protocol Security (IPsec).

Implementing storage based segmentation and filtering using technologies such as disk and volume encryption and Logical Unit Number masking.

For extremely sensitive network connections, implementing Cross Domain Solutions based on evaluated High Assurance products; or technologies otherwise recommended by the Australian Cyber Security Centre (ACSC).

To be successful, the implementation of these techniques and technologies must be driven by a network architecture based on achieving organizational business and security requirements. It is vital that network, system and security architects work together with business analysts and customers to ensure that an accurate and considered strategy is adopted.

Best Practices for implementation 

Apply technologies at more than just the network layer. Each host and network should be segmented and segregated, where possible, at the lowest level that can be practically managed. In most cases, this applies from the data link layer up to and including the application layer; however, in particularly sensitive environments, physical isolation may be appropriate. Host-based and network-wide measures should be deployed in a complementary manner and be centrally monitored. It is not sufficient to simply implement a firewall or security appliance as the only security measure.

Use the principle of least privilege and need-to-know. If a host, service or network doesn’t need to communicate with another host, service or network, it should not be allowed to. If a host, service or network only needs to talk to another host, service or network on a specific port or protocol, and nothing else, it should be restricted to this. Adopting these principles across a network will complement the minimization of user privileges and significantly increase the overall security posture of the environment.

Separate hosts and networks based on their sensitivity or criticality to business operations. This may include using different hardware or platforms depending on different security classifications, security domains or availability/integrity requirements for certain hosts or networks. In particular, separate management networks and consider physically isolating out-of-band management networks for sensitive environments.

Identify, authenticate and authorise access by all entities to all other entities. All users, hosts and services should have their access to all other users, hosts and services restricted to only those required to perform their designated duties or functions. All legacy or local services which bypass or downgrade the strength of identification, authentication and authorisation services should be disabled wherever possible and have their use closely monitored.

Implement whitelisting of network traffic instead of blacklisting. Only permit access for known good network traffic (i.e. that which is identified, authenticated and authorized), rather than denying access to known bad network traffic (e.g. blocking a specific address or service). Not only will whitelisting result in superior security policy to blacklisting, but it will also significantly improve an organisation’s capacity to detect and assess potential network intrusions.

Let me know your thoughts on this...

In the next blog post, we will apply these learnings to 2 real-world examples. Till then, be happy, plant more trees and say no to plastic!!!


You may also like to read...

Identification, Authentication, Authorization, and Accountability

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

How to Pass SSCP Exam in the First Attempt

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Cloud Computing - The Logical Model