Understanding Network Segmentation and Segregation


Lighted Ways Tech
Shop Your Best Moments here. The easiest way to find your things!- CHECK EVERYTHING ON AMAZON


Make no mistakes. Most organizations today are preoccupied in dealing with dozens or so changes a week to support new business infrastructures, while users are demanding technologies to suit their individual needs such as cloud and virtualization, of which each is a force-multiplier to the already complex system that can impact the integrity of the network segments. Network segmentation and segregation is a central enabler in the implementation of workforce mobility and a secure BYOD (Bring Your Own Device) platforms as it allows better isolation to a compromised or a likely compromised device from the important data on the network.

East-west micro-segmentation

Figure 1: East-west micro-segmentation. | Source: https://www.sciencedirect.com

In today's world of technological advances, there is no such thing as being 100% protected! If hackers really want to attack a network, hackers can always find ways. Hence, an organization would not want a single point of failure. Network segmentation and segregation platform can provide effective security and controls in mitigating intrusion if in case unauthorized access penetrated the security infrastructure and can consequently limit further the movement or the spread of the threat inside the network. By properly deploying the network segmentation and segregation platforms, organizations are essentially curtailing the level of access to sensitive data within the network, servers, and applications from people who do not need it, while enabling access for those people that do. Moreover, organizations are making it much more difficult for cybercriminals to pinpoint and gain access to an organization’s sensitive data. 
 But, what is Network Segmentation and Segregation?

1. Generally, Network Segmentation and Segregation are deployed at the network gateway. But with the cyber criminal’s ever-evolving intrusion methods targeting internal network directly using the various technique, and the increasing use of endpoints platforms, it is clearly becoming more and more important to finally segment and segregate all data from the resources within which users have access to email, the web, and other endpoint devices.

2. The aim of implementing network segmentation and segregation is primarily to curtail the methodology and level of access to data for systems applications and people who have no need for it, while at the same time ensuring that the network continues to function effectively. Achieving this is by using several procedures and technologies depending on the network’s configuration and infrastructure.

Multi-factor Authentication
Figure 2: Multi-factor Authentication | Source: https://www.oit.uci.edu/mfa/about-mfa/
3. Together with multi-factor authentication, network segmentation, and segregation is by far one of the most logical and effectual controls, an organization could put into practice in alleviating the second stage of a network breach, propagation, and lateral movement. If correctly implemented, it can significantly create more difficulties for cybercriminals to pinpoint and gain access to the organization’s most sensitive data without compromising the organization’s effective operation.

4. Achieving number 3 above requires the use of various technologies and techniques, but primarily it depends on the infrastructure and configuration of the organization’s network. Some of the frequently use technologies and techniques includes:
a. Implementation of server-domain isolation using IPsec (Internet Protocol Security)

b. Implementation of evaluated DSD cross-domain solutions (CDS) where necessary.

c. Implementation of DMZ (Demilitarized Zones) and gateways across systems or networks with divergent security requirements using technologies at multiple layers, such as virtual local area networks, unconnected physical links and systems, web traffic low filters, host-based, and network firewalls, data diodes, network access control, firewall applications, content-based filtering, service proxies and user and service authorization and authentication, and

d. Implementation of storage-based segmentation filtering using LUN (logical unit number) and encryption.

            5. Network segmentation necessitates a splitting up the network into smaller, manageable networks. Network segregation necessitates the development and enforcement of ruleset control whereby any computing devices are authorized to communicate with other computing devices. 

The importance of network segmentation and segregation to an organization

Network segmentation and segregation is not only important in protecting networks of the same category but with different security needs, but also important in securing networks or systems of contrasting security categories. The most fitting example is providing segmentation between systems where users browse the web and access email and the organization's most sensitive data. Organizations may allow users unauthenticated code from the web to run on the user’s computer (Flash content, JavaScript and Java Applets), but should not allow the same unauthenticated code to access or execute the database server containing the organization’s most sensitive data.

Once cybercriminals compromise the network, (usually through a compromised system under the dominion of a legitimate user), they will instantly attempt to move around the system to pinpoint and access the data, they are targeting. Cybercriminals may try to create connections directly from the compromised systems toward the more sensitive systems utilizing devices and methods they have at their immediate disposal, clouding their executions using their own, improved form of legitimate network control tools. As an example, once cybercriminals have initially undermined a computer, they may search to make a remote connection to a sensitive server, map that network asset or utilized installed legitimate system control tools to access data on that server or may even execute remotely the server’s software. This is usually a common cyber criminal’s way to target an organization’s authentication server. Minimizing the projected impact of such compromise, as much as possible it must be strenuous for cybercriminals to discover and access the data they piously seek and move around undetected in a network or system and take away the data once pinpointed.

Also, network segmentation and segregation could assist an organization in detecting and responding to intrusion. With technologies implemented to enforce it, it will: a) contain audit and be very effective alerting capabilities that might prove crucial in identifying an intrusion, b) enable organization to better focus their alerting and auditing capabilities to a limited subset of attacks based on the accepted and authorized access methods, and c) provide a prepared method to isolate a compromised appliance from the rest of the network in the event of an intrusion.


While adding more security layers could hamper access by cybercriminals, it could also have a negative impact on business dealings if the configuration is not user-friendly and properly implemented.
Previous Post Next Post