What Is Network Segmentation?
Network segmentation is the process of separating a network into smaller, segregated subnets, with each acting as its own network. Among the many reasons to do this is to enable the application of specific security protocols to each subnetwork to manage security and compliance.
Network segmentation is also used to improve performance by providing administrators with increased control over the traffic that flows into each area. Policies can be created and maintained for different segments of the network, giving administrators better control over network traffic.
Among the benefits related to network segmentation is reducing the attack surface by preventing lateral movement across a network by potential attackers. Because each network segment acts as its own network, security teams have increased control over the traffic that flows into their systems.
Challenges with Network Segmentation
Network segmentation requires an understanding of all of the assets communicating on each network as well as defining appropriate subnets based on business and compliance needs. Administrators also need to be able to implement Virtual Local Area Networks (VLANs) and avoid misconfigurations, particularly in multi-cloud environments.
Because network segmentation lacks fine-grained controls, it is difficult to segment access for various levels (e.g., remote workers, contingent workers, business partners).
Increased Insider Risk
The security of network segmentation is based on the assumption that everyone within the network is trustworthy. Network segmentation is designed to prevent external attacks, not to protect against insider threats.
Dynamic networking environments, where addresses change continually, users connect with multiple devices using a variety of networks, and new applications are continuously introduced, are difficult to manage. They require ongoing manual policy definition, reviews, changes, and exception handling.
In addition, every change in policy requires an upgrade to all of your firewall rules. It also adds complexity to all aspects of security, including basic components such as vulnerability scanning.
Despite some performance gains achieved by segregating high-volume networks, adding resources, including multiple firewalls, can negatively impact performance.
With increased network complexity, scalability becomes more difficult. In addition, when multiple smaller networks are created, more effort is required for updates, upgrades, and other maintenance.
The Trust Assumption
For the most part, a trust assumption is made by a requirements engineer. Based on explicit or implicit choices to trust certain characteristics of domains, the trust assumption depends on judgment calls that can significantly impact the security of a system. Trust assumptions are frequently made during requirements analysis of a system and the trustworthiness of its various components—both technical and human.
The Zero Trust Strategy
Traditionally, security strategies have been based on a trusted network perimeter. This is a relic from a bygone era, when people worked within the “four trusted walls” of an organization that was protected by a firewall. The erosion of this perimeter with mobile devices and remote workforces has broken this model, making it ineffective as a defense strategy.
In 2009, John Kindervag, a cybersecurity expert, created a new approach to security that assumed a porous perimeter and threats that are not confined to the outside of the network—the Zero Trust architecture. This approach reimagines security architectures around a “never trust, always verify” model that is designed to ensure only authorized users who have the right level of access can access resources.
With Zero Trust architectures, users are required to identify themselves repeatedly, in real-time, through continuous authentication procedures. It means users must submit repeated access requests with multi-factor authentication, even though they are already logged in and have gone through regular access controls (e.g., username/password).
This approach provides significantly higher levels of security by preventing lateral movement across networks. With a Zero Trust architecture, even if access is gained, it does not mean that the user can access other resources if they are not authorized to do so.
Four Principles of Zero Trust
1. Never trust, always verify
Do not believe that users are who they say they are. Instead, always verify their identity and access privileges.
2. Threats come from outside and inside
Treat anyone trying to access a resource the same way—validate their identity and access levels. This protects against external threats and malicious or careless insiders.
3. Use micro-segmentation
Create network segments around sensitive information using micro-segmentation to enable granular policy controls and restrict lateral movement.
4. Principle of least privilege (PoLP)
Grant only the access privileges required for each user to do their job.
Network Segmentation Use Cases
- Block internet traffic
Restrict traffic from and to all local networks, only allowing access to ports required by specific services.
- Compartmentalize attacks
Prevents attacks from spreading across a network and gaining access to unprotected devices.
Reduce regulatory compliance costs by limiting the number of systems that might fall within the scope of a compliance audit.
- Implement granular security policies
Use micro-segmentation that’s implemented through software-defined networking to target specific protections.
- Isolate IoT devices
Reduce the risk exposure if IoT devices are compromised, by only allowing trusted connections.
- Monitoring and response
Detect suspicious activity and traffic, log events, and record connections that have been approved or denied on subnets rather than on the entire network.
Confine network traffic to subnets.
- Quarantine new devices
Use preset rules on dedicated networks to block specified devices from accessing the internet or certain sites.
- Simplify firewall security policies
Use a consolidated policy for subnet access control.
- Consider user-specific networks
Create networks with their own rules and policies (e.g., limit access to the internet, filter activities), such as for remote workers, guests, or specific groups that work on highly-sensitive projects.
Use a dedicated IP subnet range for a voice network that’s optimized for high-quality voice-over IP (VoIP) networks.
Physical vs. Logical Network Segmentation
Network segmentation enables an organization to break systems into smaller section,s either physically or logically.
Physical segmentation breaks networks down into multiple sections or subnets. With physical segmentation, a firewall acts as the gateway and controls traffic that comes in and out of the network, along with hardware like access points, routers, and switches. It usually involves investing in additional hardware.
At a glance, physical network segmentation appears to be an easy approach to segmenting a network. However, it is often expensive and fraught with unintended issues. For example, consider the user implications of having two Wi-Fi access points next to each other, each broadcasting with different SSIDs. Hence, many companies utilize logical segmentation.
Logical segmentation is the most popular approach because it leverages concepts that are already built into network infrastructure. An example of this would be creating separate virtual local area networks (VLANs) that share a physical switch, or dividing different asset types into different Layer 3 subnets and using a router to pass data between the subnets.
Network Segmentation Provides Multiple Benefits
With network segmentation, organizations gain operational and security enhancements. By breaking large networks into smaller ones, network segmentation creates subnetworks that can be more effectively and efficiently managed. This allows for performance optimization and streamlined management. It also limits exposure to cyberattacks, facilitates monitoring, and increases visibility into traffic.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 9th March, 2022