Network Segmentation is the act of dividing one network into several pieces or sub-networks. In just the last few months, several worldwide hacks of various networks and corporations have taken place and have crippled many systems. These are just the latest in a series of events that highlight weaknesses in our so-called secure networks.
Network Segmentation is a tactic that provides one more layer of security – and as we well know, security is best achieved by implementing it in layers. We at 24By7Security are very familiar with it as part of our Defense in Depth 2.0 model.
Benefits of network segmentation
- Security: If a network has been segmented, then hackers cannot get full control unless they access every single sub-network. Network Segmentation therefore minimizes the damage of a breach and it reduces the possibility of the entire network going down.
- Performance: Another benefit of network segmentation is an improvement in performance. Since sub-networks are much smaller than the whole network, there are fewer hosts and therefore fewer visitors to each sub-network, resulting in improved performance and reduced traffic congestion.
- Access control: One more benefit is that network segmentation also permits stronger access control by limiting access to specific sub-networks only to people who need it. Sub-networks could be created for specific types of systems handling data of different sensitivity levels.
Network Segmentation could have reduced or even prevented major hacks. One example of this is the 2013 Target breach. Hackers gained access using the information of a third party HVAC vendor. It was through the network the HVAC was located in, that hackers were able to breach and gain access to sensitive data like customer names, addresses and more.
Network Segmentation could have also greatly minimized the damage of the worldwide ransomware attack WannaCry. WannaCry is a type of ransomware that exploits a flaw in Windows computer’s SMB (Server Message Block) protocol. This attack crippled several countries and many different systems. Banks, hospitals, universities, transit systems and parts of government were hit and went into a state of disrepair. This attack was so widespread for many reasons, but one of the bigger reasons was that it was also a worm. While it took over and encrypted files on one computer, it looked for more vulnerable devices on the same network and kept spreading accordingly. The damage could have been contained if those networks had been segmented.
The last example that this blog will mention is Petya. Petya is the most recent attack that has affected systems and networks all over Europe but has mostly been centered on Ukraine. Some of these systems include the central bank, the airport, the metro, an electrical supplier and the state telecom. Just like WannaCry, Petya has had no trouble spreading and infecting other computers on the same network. Again, network segmentation could have limited the extent of damage caused.
Creating a network segmentation strategy
Segmenting networks is not typically an easy task and requires significant investment of time, resources and money. An organization must have a comprehensive network segmentation strategy.
Some important steps in creating this strategy and performing network segmentation include:
- A detailed risk analysis and assessment of the network.
- Review of different types of data and access control requirements.
- A firewall assessment.
- Define network zones based on access control and segregation of assets.
- Consider physical and logical separation of network segments.
- Review and assess requirements for integration between internal systems and with external systems or partners.
- Review the organization’s change management process and how it would be impacted with a segmented network.
- Rule management is critical as the number of firewalls, switches, routers and other hardware devices will increase, and each will have its own rules to be defined and maintained.
- Policy and procedures for monitoring and maintaining the network and its sub-networks.
- Continued and routine assessments and improvements to the infrastructure to keep it secure.
Following the ages-old policy of “Divide and Conquer” may now be taking a new twist with corporations implementing network segmentation to divide and conquer against ransomworms and other types of cyber attacks.
