Skip to main content

Segmentation, Segmentation, Segmentation!

September 03, 2014

When designing a network from a security perspective, segmentation is the name of the game. Segmentation is the process of dividing a network into sub networks, or just smaller portions of the network. The function, the risk appetite, data classification or security requirements, and any number of additional properties or combination of properties can define these segments. Function and data classification are among the more common segmentation strategies. 

A segmented network provides a higher level of security compared to a flat network, as the assets on the network are separated from each other. An easy way to visualize segmentation is the Titanic, where the ship was divided into sixteen watertight compartments. Ideally, a compartment could be flooded without affecting the ship’s key ability to float on the water. Similarly, one of the first items on the attacker’s checklist after successfully compromising a network is to move across the network to find the most valuable assets. In a segmented network, it is more difficult to move laterally, which provides the key security ability for network data: maintaining confidentiality, integrity and availability. 

A segmented network helps reduce the scope of certain audits, for instance PCI and HIPAA audits. If there is no payment card or cardholder data on a segment, that segment is not in scope for the audit, thus reducing both the cost and the time it takes to complete the audit. 

Most enterprises today have some sort of segmentation in place already; however, it might not be aligned with the overall security strategy of the organization or optimized for security purposes. Very few organizations have too many segments, a concept which is debatable, if “too many” is even possible. 

The most basic segmentation, which may or may not fulfill regulatory requirements, is to just have separate VLANs for users and servers. The next level is to separate users based on function or department, and servers based on applications they host. Between the different segments, basic routing takes place. Although this improves security and performance, and provides a scalable network design, it is still not an optimal design. 

The Titanic, considered almost unsinkable, was designed to have no more than four of its compartments breached and flooded. The compartments, while isolated from each other, were not sealed at the top. When that iceberg opened up five compartments, the ship was doomed. Similar to the Titanic, basic VLAN segmentation with routing between segments, while a good start, is not the optimal design. In Titanic’s case, the compartments needed to be sealed; in the case of a network, controls allowing only authorized traffic are required. This will be a topic for a future blog.

 

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 13, 2018

Using Micro-Segmentation to Protect Your Data – Part 2

While micro-segmentation, software-defined networking (SDN) and software-defined data center (SDDC) technology providers VMWare, Cisco and Amazon Web ...

See Details

February 06, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 3)

In parts one and two of this blog series, I provided an overview of SSL web inspection, and dove deeper into how SSL inspection solutions work and met...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

October 23, 2014

Micro-Segmentation

In my previous blog post, I discussed the importance of segmentation and network design. Moving along in the series brings us to micro-segmentation. T...

See Details

December 01, 2011

Securing Network Architecture - Part 1 | Optiv

Today, securing a network cannot be fully accomplished with just a product or a solution. Rather, an in-depth holistic approach is required to protect...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.