Part of:Intro to network segmentation and microsegmentation
How to implement network segmentation for better security
For a network segmentation strategy to be effective and improve security, network teams need to create detailed security policies, identify each resource and use allowlists.
Network segmentation is the practice of subdividing a network into functional domains and limiting the communications between those domains.
For example, an enterprise might create separate segments for accounting, HR, product development, manufacturing, customer service, marketing, sales and building automation. No part of the network is exempt. Segmentation works for cloud computing, as well as SaaS applications.
Communication between the segments is controlled at specific locations where security practices can keep the network safe. Network security teams can use tools like deep packet inspection with intrusion detection, intrusion protection and firewalling.
What is microsegmentation?
Microsegmentation takes network segmentation to the next level by enforcing policies on a more granular basis, such as by application or device. Microsegmentation can incorporate role-based access control based on an endpoint's role and access policies. An IoT device wouldn't be able to communicate with anything but its application server, not even another IoT device. A data entry person in accounting wouldn't be able to perform other accounting functions or access nonaccounting systems.
In these examples, an endpoint can be an application server, a user with a computing resource or a digital automaton that performs some action. An RFID reader that updates an inventory database at a loading dock represents such a device. A chatbot is a digital entity that accesses customer order databases to satisfy a customer's query. Neither example endpoint should be able to access systems other than those it was designed to use.
Microsegmentation divides workloads into individual segments, enabling network security teams to enforce more granular policies.
The benefits of network segmentation
The primary benefit of network segmentation is it limits the damage from a cybersecurity attack. On the monitoring front, security systems can provide alerts when an unauthorized endpoint tries to access the system, identifying bad actors who are attempting lateral spread.
The primary benefit of network segmentation is it limits the damage from a cybersecurity attack.
Segmentation can also reduce the scope of regulatory compliance, like the Payment Card Industry Data Security Standard. Audits only need to involve the part of the network that processes and stores payment card information. Of course, such audits should validate proper segmentation practices.
Network segmentation best practices
So, what are some strategies network teams can follow when segmenting their networks?
Create security policies and identify resources
To implement network segmentation, network teams should start by creating security policies for each type of data and asset they need to protect. The policies should identify each resource, the users and systems that access it, and the type of access that should be provided.
Use allowlists
Next, teams should implement allowlist access controls. This practice significantly improves network security. Teams need to identify the application data flows for each application to make this work. While this process can take a significant amount of work, it is well worth the time and effort when compared with the cost of a cybersecurity event.
Technologies to implement network segmentation
Network segmentation can be based on physical separation, logical separation or both, depending on the specific instance. Firewalls, access control lists (ACLs) and virtual LANs (VLANs) provide the basic segmentation functionality.
The next step adds virtual routing and forwarding (VRF) to segment routing information. An advanced implementation would implement a full multi-tenant system based on software-defined technologies that combine firewalls, ACLs, VLANs and VRF.
Software-defined access
Software-defined access (SD-access) identifies endpoints and assigns them to the proper network segments, regardless of where they physically connect into the network. SD-access tags packets to identify the segment to which they belong. Tagging makes it efficient for the network to apply the proper policy to network flows.
Physical separation
Network teams should use physical separation, such as separate firewalls, when they need to reduce the complexity of firewall rules. Mixing the firewall rules for a large number of applications in one firewall can become impossible to maintain. Complex rule sets rarely have rules removed because the resulting action is difficult to determine. Using separate firewalls based on VM implementations can greatly simplify each rule set, making it easier for teams to audit and remove old rules when requirements change.
Automation
Finally, teams can use automation to help maintain network security. Many of the security audit steps can and should be automated to ensure they are consistently applied. Tools based on software-defined technology can aid in automation.
