Corporate networks used to have a single perimeter, and everything inside the perimeter was trusted. This perimeter was relied on by security professionals to block cyberattacks and malware from entering the corporate network. Network architects designed flat corporate networks where the devices in the network connected with each other directly or through a router or a switch.
Before COVID-19, most corporate employees worked in offices, using computers connected to the internal network. Once users were on these internal networks, they typically had access to all the data and applications without many restrictions. Security and user-access policies were created only to separate the internal network from the external network. Most saw little need for granular policies and rules to limit user access to only parts of the internal network and to specific applications.
Due to the rapid evolution of the way we work, corporations now must contend with:
• Multiple network perimeters at headquarters, remote offices and in the cloud
- Applications and data scattered across different cloud platforms and data centers
- Users who expect the same level of access to internal networks while working remotely
While this is a complex set of issues, there is a solution. Network segmentation, when implemented properly, can unflatten the network, allowing security admins to protect multiple segments, compartmentalize internal networks and provide granular user access
What is network segmentation?
The National Institute of Standards and Technology (NIST) offers the following definition for network segmentation: “Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.”
Both internal and external networks should be granularly segmented, with security and access-control policies applied between each segment. Without this very granular segmentation, cybercriminals who have acquired user credentials or compromised a system can roam freely across the entire network infrastructure.
Network segmentation can be used not to just compartmentalize corporate networks into micro-networks, but also to create security and access policies for individual digital assets, such as applications, servers, endpoints and cloud workloads.
The main principle of segmentation:
Making sure each segment is protected from the others, so that if a breach does occur, it is limited to only a portion of the network. Segmentation should be applied to all entities in the IT environment, including users, workloads, physical servers, virtual machines, containers, network devices and endpoints. Connections between these entities should be allowed only after user identities have been verified and proper access rights have been established. The approach of segmenting with granular and dynamic access is known as Zero Trust Network Access (ZTNA).
Three basic tenets of successful network segmentation include:
- Granular segmentation of all networks on-premises, in the cloud and at remote offices
- Inspection of traffic between segments using security controls, such as firewalls and intrusion prevention systems
- Limiting access to segmented zones, so that only trusted and authorized users are permitted.
Achieving Network Segmentation
Now that we understand that segmenting large network zones into smaller zones improves security, let’s see how this can be achieved. It may seem complex to start implementing segmentation, but by following these steps, it can be achieved rather painlessly:
Understand and Visualize Network
Admins need to map all the subnets and virtual local area networks (VLANs) on the corporate networks. These should include networks on-premises, in the cloud and at remote offices, as well as the number of devices and IP addresses being used. Observing network traffic and mapping connections between the entities can largely be performed with network security and management tools such as firewalls. Visualizing the current environment provides a lot of value right away in understanding both how to and what to segment.
At this step, network and security teams also need to work together to see where security devices such as firewalls, IPS and network access controls are deployed in the corporate network. An accurate map of the network and a complete inventory of security systems will help tremendously in creating efficient segments. In case of large enterprise networks, it is also a best practice to start mapping and building inventory one zone or segment at a time.
Segment and Create Policies
The next step in the process is to create the segments themselves: large subnets or zones should be segmented, monitored, and protected with granular access policies. Segments can be configured based on a variety of categories, including geo-location, corporate departments, server farms, data centers and cloud platforms.
It is best for network and security administrators to ensure that segments are aligned with business processes. Don’t try to segment the entire IT environment at once — start with one network zone with a few internal users so the process can be learned and proven to stakeholders.
After defining segments, create security policies and access-control rules between those segments. These polices can be created and managed using firewalls, VLANs or secure mobile access devices. In most cases, security admins can simply use existing firewalls or secure mobile access solutions to segment and create granular policies. For cloud environments, enterprises can use virtual firewalls and zero trust network access solutions to make sure the private and public clouds are properly segmented with the right security and access policies.
Monitor and Enforce Policies
After creating segments and policies, take some time to monitor the traffic pattern between those segments. The first time the security policies are enforced, it may cause disruption to regular business functions. So it’s best to apply policies in non-blocking or alert mode and monitor for false positives or other business interruptions.
After an appropriate trial period, security admins can make necessary adjustments and move these policies from alert mode into blocking mode. This will allow for a smooth transition into strict policy enforcement without disrupting important business processes.
Now it’s the time to enforce policies. Once the individual policies are pushed, each segment is protected from cyber attackers’ lateral movements and from internal users trying to reach resources they are not authorized to use. It is best practice to continuously monitor and apply any new policies whenever there are changes to networks, applications, or user roles.
Granular visibility
By creating segmentation through security and access policies, enterprises will gain more granular visibility into their networks. Security management solutions provide dashboards that show segmented zones and help in synchronizing and enforcing consistent security policies across IT environments. These dashboards reveal connections between different segments, including user access information with detailed analytics and reports.
Secure remote access
Zero Trust Network Access (ZTNA) is the new paradigm for secure remote access — and one of the ways to achieve ZTNA is through network segmentation. By using virtual private network (VPN) technology in firewalls or secure mobile access solutions, you ensure remote and mobile users can access corporate resources only in their authorized segments.
Compliance
Many government, industry and corporate regulations require the ability to demonstrate that sensitive data is isolated and only authorized personnel have access. It is easier to achieve compliance by segmenting sensitive assets such as cardholder data environments (CDEs), personally identifiable information (PII), healthcare applications and customer databases. Segmentation also helps in achieving company policy compliance by pushing acceptable-use policies (AUP) to different segments based on their function.
Secure cloud migration
Most enterprises see significant benefits in migrating to cloud platforms. However, securing cloud workloads with the same degree of protection as on-premises, while at the same time providing granular secure access, can be challenging. Again, this can be achieved by segmenting cloud workloads into different buckets and securing them through technologies such as virtual firewalls and cloud access security brokers.
Isolate third-party workers
Enterprises want to make sure contractors, partners and other third-party businesses can’t move from one or two zones into the rest of the network. Using segmentation, security admins can isolate third party accessible zones from the rest of the network and cloud infrastructure and block unauthorized connections between zones using firewall policies.
Conclusion:
We live in an era in which the defensive capabilities found in a traditional network architecture have been eclipsed by the skills and resources of modern attackers. What today’s enterprises require is a way to deliver granular policy enforcement to multiple segments within the network. Through segmentation, companies can protect critical digital assets against any lateral attacks and provide secure access to remote workforce.
Enterprises can rely on technologies that augment next-generation firewalls (NGFWs), such as secure mobile access and ZTNA solutions, to protect devices and clouds while providing controlled access. By doing so, they’ll reduce cyber risk and achieve greater segmentation more effectively.