Segmentation, Segmentation, Segmentation!
When designing a network from a security perspective, segmentation is the name of the game. Segmentation is the process of dividing a network into sub networks, or just smaller portions of the network. The function, the risk appetite, data classification or security requirements, and any number of additional properties or combination of properties can define these segments. Function and data classification are among the more common segmentation strategies.
A segmented network provides a higher level of security compared to a flat network, as the assets on the network are separated from each other. An easy way to visualize segmentation is the Titanic, where the ship was divided into sixteen watertight compartments. Ideally, a compartment could be flooded without affecting the ship’s key ability to float on the water. Similarly, one of the first items on the attacker’s checklist after successfully compromising a network is to move across the network to find the most valuable assets. In a segmented network, it is more difficult to move laterally, which provides the key security ability for network data: maintaining confidentiality, integrity and availability.
A segmented network helps reduce the scope of certain audits, for instance PCI and HIPAA audits. If there is no payment card or cardholder data on a segment, that segment is not in scope for the audit, thus reducing both the cost and the time it takes to complete the audit.
Most enterprises today have some sort of segmentation in place already; however, it might not be aligned with the overall security strategy of the organization or optimized for security purposes. Very few organizations have too many segments, a concept which is debatable, if “too many” is even possible.
The most basic segmentation, which may or may not fulfill regulatory requirements, is to just have separate VLANs for users and servers. The next level is to separate users based on function or department, and servers based on applications they host. Between the different segments, basic routing takes place. Although this improves security and performance, and provides a scalable network design, it is still not an optimal design.
The Titanic, considered almost unsinkable, was designed to have no more than four of its compartments breached and flooded. The compartments, while isolated from each other, were not sealed at the top. When that iceberg opened up five compartments, the ship was doomed. Similar to the Titanic, basic VLAN segmentation with routing between segments, while a good start, is not the optimal design. In Titanic’s case, the compartments needed to be sealed; in the case of a network, controls allowing only authorized traffic are required. This will be a topic for a future blog.