With more and more compromises occurring, cyber securityis front of mind for many CIOs and IT Managers. Leading the charge in best practice for securing an organisation’s assets is a clear strategy around the organisations network architecture and how to incorporate network segmentation and segregation strategies which in turn, lead to tighter controls.IT security, circa 1990s to mid-2000, the objective was to secure the perimeter. To be fair, the edge of most networks was quite porous, and patching and vulnerability management was practically non-existent.There were many ways into networks using approaches such as buffer overflows in daemons like WuFTPD or Apache.
Things however have now changed. Many networks now have a very hardened exterior and “soft centre” interior networks relegating most compromises to web application attacks and spear phishinges. However, because the “early years” of corporate network design were focused on hardening the perimeter of the network, little attention was paid to the internal network, making it a virtual playground for any hackers to do what they wanted on any server because of a lack of vulnerability management and due to the fact that networks were generally “flat”.
Removing “flat” networks that once compromised, allowed a plethora of attacks on multiple systems led to the network architectural approach of network segmentation. The following definition from the Australian Cyber Security Centre (ACSC) clearly defines the purpose of both network segmentation and more importantly, network “segregation”:
“Network segmentation involves partitioning a network into smaller networks; while network segregation involves developing and enforcing a ruleset for controlling communication between specific hosts and services”.
A key tenant in Information Security is “prevention is ideal, but detection is a must” (Dr Eric Cole). It is important to understand that you cannot protect what you cannot see, and to increase visibility in those areas of the network that are critical to the business, the first step is to segment the network into security zones. Network segmentation is a fundamental component of an information security strategy; it reduces the likelihood of a compromise from spreading, increases the visibility into network traffic, and is the foundation for building a secure network. All this leads to an information-centric approach to the classic “defense-in-depth” security model where there is an understanding within an organisation of its most valuable data, and then layers of security can be built around it to protect its confidentiality, integrity and availability. Without network segmentation, an attacker, once inside the network, can access everything. However, once a network is adequately segmented, security controls can be distributed across the security zones to reduce the risk of compromise, reducing monitoring gaps and increasing the visibility of network activity.
The important understanding of network segmentation is that its purpose is to provide points where security controls can be implemented. The more critical the system, the more segmentation that should be deployed across its key components which in turn provides greater visibility of its traffic flows. This segmentation at the network layer is providing a more granular form of network segregation, however, there are other approaches which I will discuss in another blog that will aid in providing greater network segregation and can be developed to form part of your “defense-in-depth” policy.
Security Zones are made up of network segments with systems that have a similar security classification. It is important not to have too many security zones as you want to secure your environment but not make it much more complex. Examples of some well-known names for zones includeDMZ, Protected Zone, Secured Zone, Restricted Zone and Management Zone.What differs for each zone are a set of defined rules pertaining to what controls need to be implemented within that zone to allow communications between these systems, the other zones, and the greater corporate network.
Some of the technology tools we can use to implemented network segmentation include:
• Private VLANs
One or multiple of the above technologies can be used to create network segmentation and segregation.
I suppose the biggest challenge we find when undertaking security reviews and providing recommendations to customers on hardening their environments is to take critical, legacy systems, that have been placed in flat networks in data centres and see how these can be separated from a network topology point of view and placed into the security zones we have agreed on. The first challenge we face is finding out whether our customers have any classification systems in place to define whether a system is “critical” or not. This can be quite difficult as the definition of “critical” needs to be made in the context of the data it hosts and what the implications are if this data was to be breached. Systems such as CRMs, payroll, HR etc.. are obviously critical but others may not be that obvious. With the advent of GDRP and Australia’s own Notifiable Data Breaches (NDB) scheme, critical information extends from data that could cripple an organisation if stolen to data that contains customer personal information. This sensitive information needs to be protected or an organisation can face heavy fines.
The lesson here from a fundamental security point of view is to know your assets, know the sensitivity of their data, and apply appropriate classifications. By having this housekeeping in place, your organisation should be in a good place to implement network segmentation (if it hasn’t already). Without the appropriate classifications in place, network segmentation will be next to impossible to successfully implement. Talking network segmentation, it is now a mandatory architectural requirement for any modern network deployment.