It is Cybersecurity Awareness Month!
For that reason, we want to help you create a more secure network with defense-in-depth techniques. Defense-in-depth is an acknowledgement that firewalls, while critical and very effective, cannot stop all attacks.
Instead, we need to create layers of defense that slow down and limit the impact of an attack wherever possible. For today’s blog, we’ll focus on a set of techniques within network design: Network subnetting, network segmentation, and network micro-segmentation.
Network subnetting segregates network devices using a logical network.
This logical network, or subnet, will have a separate router IP address and separate subnet mask to isolate that subnet’s traffic from other subnets.
NetworkComputing.com detailed 5 Subnetting Benefits for a network:
- improved network performance and speed;
- reduced network congestion;
- boosted network security;
- controlled network growth;
- and easier administration.
While each of these benefits are worth exploring, since this is Cybersecurity Awareness Month, we’ll focus only on the security aspects.
Subnetting is often used in combination with access control lists (ACLs) to control traffic and to limit which networks and hosts can directly reach each other on the network. This is superior to relying only upon an ACL because it reduces the complexity of the ACL for administration.
When correctly implemented, subnet devices should not communicate with devices on other subnets without passing through a device (router, switch, internal firewall, etc.) that can control traffic. In this manner, each subnet should be isolated from others and while also helping to isolate attackers.
However, subnetting alone does not equal improved security.
Oftentimes, a quick port scan using Nmap or a similar tool will reveal open ports, even between subnetted networks. Unless ports in the network are controlled, the network remains vulnerable to a host of attacks that will take advantage of the open ports.
Therefore, it can be more effective to fully segregate the network using network segmentation to create a secure network.
Network segmentation is the idea of creating sub-networks within a corporate or enterprise network or some other type of overall computer network. It allows for the containment of malware and other threats, and can add efficiency in terms of network performance.
It’s also important to know that subnets and segments are neither interchangeable or exclusive.
A subnet can be created to contain multiple network segments, and a network segment can be created to contain multiple subnets. This is a long way of saying: Make sure to consult an expert on your network design.
As with subnetting, there are performance benefits to creating network segments, but today we will focus on the security benefits. By using a virtual local area network (VLAN), a network administrator can create a security zone containing a group of machines or systems with common security profiles.
Two examples of that would be a high security network containing PCI data, and a lower security profile for a guest wifi network. As with subnets, traffic between these segments should be monitored and controlled.
If traffic between segments is denied by default, and only allowed under specific rules, an organization can enjoy these security benefits outlined by TechFunnel:
- Improved Security – through isolation and data filtering between segments
- Better Access Control – users and applications can be assigned to specific segments by job function or by security level.
- Better Containment – limited communication between network segments controls automated outbreaks
- Improved Monitoring – Log events specific to a segment provide investigators with information more rapidly and with less noise (investigating an issue on 5 computers is faster than 500)
- Stronger Data Security – Just as the employees can be assigned to a segment, so can the data. This allows for tighter monitoring and more stringent security levels for the most valuable data.
Generally, network segmentation has been implemented with nested zones of increasing security, sometimes called a north-south configuration.
For example, in a more externally-facing zone such as a DMZ, a firewall and lower security standard will protect the machines in that zone and a second device (firewall, etc.) will segregate that zone from the higher security zones deeper in the company’s network.
However, inside a specific security zone, there typically is less protection between users and machines. This data flow is often called east-west traffic, and micro-segmentation is now recommended to increase security for this category of traffic.
Edgewise.net offers a comparison between segmentation and micro-segmentation:
- Policies: Segmentation offers coarse policies broadly applied. Micro-segmentation offers granular policies that can be applied to a specific device, application or user.
- Identity: Segmentation uses IP addresses at a network level to identify members of the segment and control the data flow. Micro-segmentation uses identity and specific resources to identify members of the segment and to control the data flow.
Micro-segmentation applies a zero-trust security model to data flow within the network. As detailed in NetworkWorld, the goal is to decrease the attack service by applying segmentation rules in more detail between machines and applications.
Many ransomware attacks take advantage of easy east-west communication to propagate unchecked through a network. Micro-segmentation can dramatically limit the spread of automated viruses and make active hackers work much harder.
While micro-segmentation offers the most security, it also consumes the most resources.
In order to apply it effectively, an enterprise must develop “visibility into an (its) vastly complex network, workflows, users, locations, identity and access configurations,” which in turn “needs to be translated into access policies and … configuration for firewalls, switches, routers, VPN boxes, load balancers, end user clients and applications.”
This is an incredibly time-consuming and complex requirement.
Putting Defense-in-Depth to Use
When do you need to use these defenses?
In short: Whenever you have something worth defending that exceeds the costs and resources to implement cyber security.
Segmentation and subnetting is not easy to set up and maintain.
For a small legal office with three computers and a printer, there’s little need to implement network segregation. However, for a restaurant chain, segmentation is not only good policy, it is required for PCI compliance.
In QSR Mazagine, Dave Klein illustrates a series of attacks on national restaurant chains, such as Checker’s and Rally’s, that had been in progress for several years. Point-of-sale devices have been the predominant target for attackers and a segmentation defense is generally recommended by the PCI-DSS Security Standards Council.
Klein pointed out that, in some instances, micro-segmentation reduces workload by providing one set of rules that can be pushed out for a specific device or micro-network nationwide.
Building a Solid, Secure Network
Whether required by regulation or simply good policy, consider applying network subnetting, network segmentation, and network micro-segmentation to your organization to help add layers of defense against hacking.
At Ideal Integrations, our team of network experts will help you make the most of your resources, aid you in selecting an option suitable for your organization, and secure your most valuable assets.
Because no two organizations are alike, we’re here to help you create a secure network that’s unique to your business’s needs.
Complete the form below to set up a consultation, or give us a call at (412) 349-6680!