Network Segmentation (Part 1) What are the benefits of network segmentation?
- Network segmentation, in a general sense, means clustering systems that work in a similar capacity and isolating them from other clusters. Dividing systems gives enterprises the ability to prioritize the security of networks containing highly sensitive data over those with low or even moderately sensitive data. Thus, having a segmented network makes it difficult for attackers and/or unauthorized people to navigate through networks carrying sensitive data. Traditionally, network segmentation was difficult to achieve, since maintaining and updating networks in large corporate environments is time-consuming and tedious. However, the availability of software-defined segmentation today has made network segmentation much easier to implement and maintain.
As enterprises handle different types of data across varying network environments, network segmentation could be done in several ways we are going to overview some of the most common r models and how they help protect data:
Security
- Designating zones allows organizations to consistently track the location of sensitive data and
assess the relevance of an access request based on the nature of that data. Designating where
sensitive data reside permits network and security operations to assign resources for more
aggressive patch management and proactive system hardening.
Network Segmentation with virtual local area networks- (VLAN's)
Network Segmentation with virtual local area networks diagram
-This model creates a collection of isolated networks within a data center, with each network as a
separate broadcast domain. This model provides protection for networks and data centers
and even cloud storage facilities.
Micro-Segmentation
– this strategy protects the network by breaking down the network into smaller chunks through the use of firewalls, host firewalls, VLAN, virtual private networks (VPN), and network administrator or access. Adding such complexity to the network slows down the progress of attacks and increases the visibility of unauthorized use or entry into a network.
What’s common across the aforementioned examples is the creation of multiple levels or layers into
the enterprise networks. Besides creating separate, small networks, specific privileges are also applied to these networks to limit access. This procedure is used to effectively keep unauthorized persons from accessing highly sensitive files. Aside from limiting access, networks containing sensitive information may also require whitelisting to specifically define acceptable communication paths and block everything else not included in the whitelist.
This particular way of protecting data isn’t focused on highly sensitive data alone, as it was originally
designed to protect all kinds of data and to mitigate the damage of known threats like data breach and
ransomware.
Essential rules for Network Segmentation
Also, network segmentation starts like this:
Divide the network into logical segments. They can be whether physical or virtual segments. To them, we assign predetermined network masks.
Distribute the network resources to each segment (subnet). In turn, each segment redistributes resources to Network stations or devices.
Connect network segments using switches (Layer 2), bridges (Layers 2-3) or routers (Layer 3).
Network Segmentation Tools for a Multi-Layered Security Approach
-Physical layer segmentation: Refers to the separation of two networks at the physical layer, meaning that there is a change or disruption in the physical transmission medium that prevents data from traversing from one network to another;data link layer segmentation layer 2 (VLAN)
- It is typically performed using Virtual Local Area Networks VLAN's. Network switches are used to separate systems, and VLANs are used to limit their broadcast domains. VLANs, therefore, cannot communicate with other VLANs without traversing at least one Layer 3 hop to do so, or by physically connecting VLAN access ports. The use of VLANs provides easy and efficient segmentation.If inter-VLAN communication is only allowed via a Layer 3 device, VLAN can also enforce some security by implementing segregation via Access Control Lists (ACL) on the intermediary router.
Newer Layer 2 switches provide the capability to implement ACL at the port level as traffic enters the switch,
allowing options to help improve VLAN security since this ACL is applied to all VLAN's on a given port.
Network layer segmentation layer 3 (FIREWALL)
-It is performed by a network router, a network switch with Layer 3 capabilities, or a firewall.For any protocols utilizing the Internet Protocol (IP)—including industrial protocols that are encapsulated over TCP/IP or UDP/IP—routing provides good network layer segmentation as well as strong security through the use of router ACLs,
However, IP routing requires careful IP addressing. The network must be appropriately separated into address subnets, with each device and gateway interface appropriately configured. Network firewalls can also filter traffic at the network layer to enforce network segregation Most Layer 3 switches and routers support access control lists (ACLs) that can further strengthen access controls between networks.
Layer 3 network segmentation will help to minimize the attack surface of network-layer attacks.
Layer 4-7 segmentation
-It includes means of controlling network traffic carried over IP . This is important because most industrial protocols have evolved for use over IP, but are often still largely self-contained—meaning that functions such as device identity and session validation occur within the IP packet payload.
This is a powerful method of segmentation because it offers granular control over network traffic.
In the context of industrial network security, application layer “content filtering” is able to enforce segregation based upon specific industrial protocol use cases.
Application layer segregation is typically performed by a “next-generation firewall” or “application-aware IPS,” both of which are terms for a device that performs deep packet inspection (DPI) to examine and filter upon the full contents of a packet’s application payload.
Embrace your inner geek 👦👧 with our extensive library of technology and IT instructions📗📘📕, read on your favorite device📱💻.