Relying on a DMZ to protect your network and data is like putting money in a bank that depends on one guard and a single gate to secure its deposits. Imagine how tempting all those piles of money would be to those who had access — and how keen everyone else would be to obtain access.
But banks do not keep cash out on tables in the lobby, they stash it in security boxes inside vaults, behind locked doors, inside a building patrolled by a guard and secured by a gate. Likewise, network segmentation offers similar security for an organization’s assets.
+ ALSO ON NETWORK WORLD Free security tools you should try +
The need for network segmentation has been widely discussed for years, but it remains one of the less commonly implemented security steps, and is seldom employed as a strategic defense. When a recent poll asked IT professionals to describe their network segmentation, a mere 30% of respondents said they strategically set segmentation around business drivers for the latest threats. Another third of respondents said they “set and forget” their segmentation, and an equal number reported they occasionally revisit it — typically around audit time. A brutally honest 6% said, “My network what?”
The string of recent security breaches should drive home the importance of having carefully implemented and well-maintained network segmentation. If properly set and maintained, network segmentation would have made the long road from procurement portal to cardholder data environment far more difficult to travel in the Target breach, which exposed 40 million credit card numbers, and could have significantly limited the damage in the recent Home Depot breach, which compromised 56 million credit cards. Proper segmentation could also have limited the impact of the Community Health Systems breach, in which 4.5 million patients’ personal health information and personal identifier information (PHI/PII) were stolen.
Effective network segmentation is a big undertaking, but it boils down to just five basic steps.
* Understand the business and organizational drivers. To know what to protect, you need to understand how revenue enters the business stream and what front-end components, such as point-of-sale terminals and back-end components, support the core functions of the enterprise. Then, identify which assets, data and personnel are critical to ensure continuity of the business.
* Create the plan. You want to classify, isolate and protect the most important components. Group related items together, for example all your Windows servers, into one virtual LAN (VLAN). Other asset groups might include infrastructure (routers, switches, VPNs and VoIP) in one VLAN and security assets (IDS, firewalls, web filters and scanners) in another.
Financial or human resource servers typically need their own VLAN because of the confidential nature of the information they process and store. You want separate VLANs for groups of personnel as well, so Windows server administrators might be in one, while security administration are in another and executive management in a third. Data requiring special protection such as credit card numbers that need to comply with PCI-DSS or patient information that is subject to HIPAA should be isolated from other data and put in their own VLANs.
* Determine who can access what data. This boils down to business need: who needs to administer the routers or switches? Who needs access to the human resources or financial systems? How many folks should be able to remotely control the security cameras? Be ruthless. If there is no business need, there should be no access.
Organizations that operate entirely on a local or regional domestic level may even want to implement wholesale blocking of remote geographic regions at the IP layer. In general, adopt a default deny access posture for each VLAN. Your goal is to limit access to sensitive information to those who need it within the organization and to create roadblocks to stop or slow intruders, who may have broken through one layer of security, from doing further damage.
* Implement segmentation. In a large organization, network segmentation is a significant, long-term project, but each step along the way increases security. Start somewhere, perhaps with the network administrators or Windows servers. In that instance, you could set up VLANs called network-admins (for their workstations) and network-devices (for routers and switches).
Log all traffic between segments to determine what is normal and needed for effective functioning. Once you know what’s necessary, start blocking access to the VLANs from everywhere else, with the ultimate goal of default deny. Make sure you have the controls to enforce segmentation and to monitor whether later requested changes to access may compromise the segmentation. Continue the process through each group of assets, personnel and data.
* Maintain. Network segmentation is not a “set and forget” undertaking. The network access policy, defined in firewalls, routers and related devices, changes constantly to cater to new business requirements. Ensuring that new changes do not violate your segmentation strategy requires a good degree of visibility and automation (this visibility is also useful to avoid outages or business disruption resulting from misconfiguration). The potential management overhead needed to maintain good segmentation is one of the reasons organizations shy away from it. But, proper segmentation is critical. A topology-aware network security solution that can automate the network segmentation process is vital.
Network segmentation is unquestionably an effective component in a defense in depth strategy. Organizations that implement it must be prepared to manage scores of firewalls, switches and routers, each with hundreds of rules, all of which will be affected by the network segmentation process and potentially by updates and changes, even after it is in place. A rigorous approach is essential, and a significant investment of time and staff is also required. But regardless, it’s a much easier to equip your organization with a secure defense through proper network segmentation than to explain to shareholders and the media how hackers were able to access millions of records on your system.
Reichenberg is the vice president of Marketing and Strategy for AlgoSec, a leading provider of Network Security Policy Management solutions.. Wolfgang is the president of Shorebreak Security, a leading Information Security consulting organization that specializes in penetration testing for NOAA and several other government and commercial entities.