Introduction
Make no mistakes. Most organizations today are
preoccupied in dealing with dozens or so changes a week to support new business
infrastructures, while users are demanding technologies to suit their
individual needs such as cloud and virtualization, of which each is a
force-multiplier to the already complex system that can impact the integrity of
the network segments. Network segmentation
and segregation is a central enabler in the implementation of workforce mobility
and a secure BYOD (Bring Your Own Device) platforms as it allows better
isolation to a compromised or a likely compromised device from the important
data on the network.
Figure
1: East-west micro-segmentation.
| Source: https://www.sciencedirect.com
In today's world of technological advances,
there is no such thing as being 100% protected! If hackers really want to
attack a network, hackers can always find ways. Hence, an organization would
not want a single point of failure. Network segmentation and segregation
platform can provide effective security and controls in mitigating intrusion if
in case unauthorized access penetrated the security infrastructure and can
consequently limit further the movement or the spread of the threat inside the
network. By properly deploying the network segmentation and segregation
platforms, organizations are essentially curtailing the level of access to sensitive data within the network,
servers, and applications from people who do not need it, while enabling access
for those people that do. Moreover, organizations are making it much more
difficult for cybercriminals to pinpoint and gain access to an organization’s
sensitive data.
But, what is Network Segmentation and
Segregation?
1. Generally, Network
Segmentation and Segregation are deployed at the network gateway. But with the
cyber criminal’s ever-evolving intrusion methods targeting internal network
directly using the various technique, and the increasing use of endpoints
platforms, it is clearly becoming more and more important to finally segment
and segregate all data from the resources within which users have access to
email, the web, and other endpoint devices.
2. The aim of
implementing network segmentation and segregation is primarily to curtail the
methodology and level of access to data for systems applications and people who
have no need for it, while at the same time ensuring that the network continues
to function effectively. Achieving this is by using several procedures and
technologies depending on the network’s configuration and infrastructure.
Figure 2: Multi-factor Authentication | Source: https://www.oit.uci.edu/mfa/about-mfa/ |
3. Together with
multi-factor authentication, network segmentation, and segregation is by far one
of the most logical and effectual controls, an organization could put into
practice in alleviating the second stage of a network breach, propagation, and
lateral movement. If correctly implemented, it can significantly create more
difficulties for cybercriminals to pinpoint and gain access to the organization’s
most sensitive data without compromising the organization’s effective
operation.
4. Achieving number 3
above requires the use of various technologies and techniques, but primarily it
depends on the infrastructure and configuration of the organization’s network.
Some of the frequently use technologies and techniques includes:
a. Implementation of server-domain isolation using IPsec (Internet
Protocol Security)
c. Implementation of DMZ (Demilitarized Zones) and gateways across
systems or networks with divergent security requirements using technologies at
multiple layers, such as virtual local area networks, unconnected physical
links and systems, web traffic low filters, host-based, and network firewalls,
data diodes, network access control, firewall applications, content-based
filtering, service proxies and user and service
authorization and authentication, and
d. Implementation of storage-based segmentation filtering using
LUN (logical unit number) and encryption.
5.
Network segmentation necessitates a splitting up the network into smaller,
manageable networks. Network segregation necessitates the development
and enforcement of ruleset control whereby any computing devices are authorized
to communicate with other computing devices.
The importance of network segmentation and segregation to an organization
Network segmentation and segregation is not only
important in protecting networks of the same category but with different
security needs, but also important in securing networks or systems of
contrasting security categories. The most fitting example is providing
segmentation between systems where users browse the web and access email and
the organization's most sensitive data. Organizations may allow users unauthenticated code from the web to run on the user’s computer (Flash content,
JavaScript and Java Applets), but should not allow the same unauthenticated
code to access or execute the database server containing the organization’s
most sensitive data.
Once cybercriminals compromise the network, (usually through a compromised system under the dominion of a legitimate user), they will instantly attempt to move around the system to pinpoint and access the data, they are targeting. Cybercriminals may try to create connections directly from the compromised systems toward the more sensitive systems utilizing devices and methods they have at their immediate disposal, clouding their executions using their own, improved form of legitimate network control tools. As an example, once cybercriminals have initially undermined a computer, they may search to make a remote connection to a sensitive server, map that network asset or utilized installed legitimate system control tools to access data on that server or may even execute remotely the server’s software. This is usually a common cyber criminal’s way to target an organization’s authentication server. Minimizing the projected impact of such compromise, as much as possible it must be strenuous for cybercriminals to discover and access the data they piously seek and move around undetected in a network or system and take away the data once pinpointed.
Also, network segmentation and segregation could
assist an organization in detecting and responding to intrusion. With
technologies implemented to enforce it, it will: a) contain audit and be very
effective alerting capabilities that might prove crucial in identifying an
intrusion, b) enable organization to better focus their alerting and auditing
capabilities to a limited subset of attacks based on the accepted and
authorized access methods, and c) provide a prepared method to isolate a
compromised appliance from the rest of the network in the event of an
intrusion.
Conclusion
While adding more security layers could hamper access by cybercriminals, it could also have a negative impact on business dealings if the configuration is not user-friendly and properly implemented.