Today, we’re going to take a closer look at how network segmentation can be used to improve your organization’s security posture. Network segmentation is, very simply, creating subdivisions of your corporate network and then intelligently restricting traffic flows between them. This can take the form of VLANing, ACLs on routers or firewalls, host-based firewalls, physical separation/air-gapping, or just about any other technology that allows you to manage traffic flows. The purpose of network segmentation is to restrict what hosts/ports a particular host can communicate with to ensure it follows the principle of least privilege (you can only talk to systems you have a business need for). This makes it more difficult for an attacker that gains an initial foothold to move within your environment, controls the spread of malware/ransomware, and helps restrict the movement of malicious insiders.
What are the Challenges of Network Segmentation?
Let’s start by addressing some of the perceived challenges of network segmentation though, as this may seem like a really daunting task for most organizations. One of the most common things we here when we discuss segmentation is “I don’t know who needs access to what so I don’t want to break something.” This can be overcome by taking small, incremental steps like those we layout below. Additionally, segmentation can be rolled out in “monitor-mode” before ACLs are enforced to make sure nothing breaks. This process will probably help you to learn a lot about your network and business processes, too.
Another common one is “We don’t have the resources, people or time, to do a project like this.” Fair enough, everyone’s got different IT and security priorities. But I’d argue that taking some of these simple network segmentation steps will not take a large time investment, can be done with your existing network devices in most cases, and can save you a ton of headaches later, further preserving your future resources.
While full segmentation is not trivial and does take planning/maintenance, that shouldn’t deter you from making some straight-forward, quick-win changes related to network segmentation that have big security ROI.
Let’s hit some of the most important initial network segmentation tasks:
A DMZ for all external facing servers that can be accessed from the Internet is a fairly common practice and most organizations we encounter adhere to this principle. But this is just some simple network segmentation when it’s done right. Restricting that traffic flow from systems in the DMZ to the rest of the internal network is what makes a DMZ effective. If one of those servers is compromised, an attacker shouldn’t have free and open access back into the rest of the internal network or it would defeat the point.
Besides the external servers in the DMZ, placing all your other servers into a dedicated subnet/VLAN is another high impact move you can make. Then, typical ACLs associated with this server segment would include only permitting traffic to administrative ports (e.g. RDP, SMB, WMI) from IT administrator workstations, not permitting traffic from servers to workstation subnets, and restricting lateral movement between servers. Your file share system probably doesn’t need to connect to your SCCM server via Remote Desktop, so any easy wins you can identify like this will help restrict nefarious movement.
IT Administrators Segment
When it comes to workstations, subdividing every user by department/role might be your ultimate goal, but this can take time. A more bite-sized task with a huge return on investment would be separating your IT administrators to a dedicated VLAN, and then restricting traffic into that portion of the network from server VLANs and other workstation VLANs. While IT admins will certainly need remote access into other parts of the network, nothing should really be able to remote into their systems. This helps protect your highest value/highest risk systems from compromise.
Workstation -> Workstation Segmentation
Creating different workstation VLANs based on department, role, and/or physical location can help keep things organized. But the real value is in taking that one-step further and ensure that a workstation in one VLAN can’t communicate with a workstation in another VLAN. A user that isn’t an IT admin doesn’t ever need to remotely log into another users workstation (in all but extraordinary scenarios). This can help prevent lateral movement if one user get’s popped by a social engineering attack, limiting an attacker’s movement or the propagation of ransomware.
Don’t Stop Network Segmentation There!
These 3 areas of focus should just be starters to help make this a more approachable task. If you can start with these initial network segments, create a plan for additional restrictions moving forward. While this isn’t a silver bullet, this can make an attacker’s life much more difficult and all but the most dedicated threat actors are probably going to move on when they’re required to pivot multiple times.
Incrementally raising the bar and increasing your security maturity will pay dividends over time. While it may seem overwhelming to talk about network segmentation, it can be done and a lot of organizations out there, large and small, are doing it effectively. Eat the elephant bite-by-bite and don’t get discouraged! If you want to discuss your approach and the security considerations, feel free to reach out!