We are constantly barraged with new technologies and techniques for securing the enterprise. Every new thing we are told is crucially important, and if you don’t master all of it now, you are the next breach headline. It is intimidating to say the least.
It is easy to look past the basics of securing the network. Basic network segmentation can be crucial to preventing attackers from bypassing all the other defenses. It can also be used to greatly reduce scope for compliance audits—and we all want to spend less time in audit.
Network segmentation is so classic, it is often assumed to be in place. Simple observation informs us that, at many companies, it is not. This is true even for sizable enterprises with extremely valuable information and secrets. Many of us have more robust home network protections than do some enterprises! If you are an IT professional or even a network engineer who is unsure about the basics of network segmentation, you are very far from alone.
How to get started?
Here are the six most crucial steps to implementing network segmentation.
1. Wireless First
The wireless network extending around corporate offices and even into public spaces outside the office walls must be isolated from critical networks. There are few ways that are better for bypassing security controls than simply hacking the Wi-Fi from a public space right into a flat network.
If administrators of systems, data, applications, and network devices are to continue remoting into systems through wireless means, route them first through VPN. In this way, you can enforce other controls, like multi-factor authentication (MFA).
2. Use DENY ALL as the Standard
Yes, this needs to be said. Deny all traffic that is not expressly permitted. While some enterprise networking appliances default to DENY ALL, any modification might remove this default, possibly without you noticing. Be sure that all firewall rulesets do not allow all traffic and end with DENY ALL traffic. Do not allow any traffic to bypass controls or this effort will be fruitless over time.
3. Set Up VLANs to Serve Various Scenarios
Next, define virtual LANs (VLANs) by grouping systems in a consistent manner to reduce exposure to critical functions and data. One common grouping method is for business-critical systems. Less critical systems not requiring 100% uptime or real-time processing could be grouped elsewhere.
For human groups that interact with sensitive data (e.g., accounting, marketing, and customer support), VLANs for each help reduce exposure from groups that should not interact with sensitive data.
Customer support groups sometimes share sensitive data over Voice over Internet Protocol (VoIP). If VoIP is not encrypted, a VoIP-VLAN may be helpful.
One grouping consideration is the need for interaction with the public Internet. Systems not needing public interaction for an application, for patching or for time syncing, may be considered for a group. For example, patch servers and NTP servers would be grouped separately from the prior group, as they do need public resources.
For any systems that must interact with the public Internet, a DMZ-VLAN can be your most critical network. With the high number of controls needed here, this group allows you to confine many controls to just the DMZ and reduce the overall effort needed to secure internal flows in a non-disruptive manner.
A word of caution about the DMZ: Any system also storing sensitive data should not be in the DMZ. Separation of the web server and data storage may be needed. The issue, however, is not created by the DMZ. The existing exposure of that system to the Internet is the problem, and more than a few companies have this very issue today.
You do not need 100 VLANs or even one for each and every cloud system to get the benefits of segmentation. Many companies have effectively segmented their networks with only five or so VLANs. The overall number of planned VLANs should take into consideration how well you can support the ongoing creation, maintenance, and review of rulesets controlling traffic between each one.
Deep network segmentation could even involve VLANs just for administering the network, for administering servers, for non-console administration of servers through jump boxes, and so on. If you support such VLANs, you probably aren’t reading this basic article.
4. Restrict Ports and Protocols
If you have systems or devices that do not use TCP or make requests to the public Internet, these could be grouped and have very restrictive rules applied. By putting only the outward-facing systems into a DMZ VLAN, the allowed ports and protocols for that group can be far different depending on group requirements. A VLAN supporting internal-only printers could have far different rules than a VLAN supporting a public-facing modem.
Once this is defined for the DMZ and incoming traffic, define it for outgoing traffic and then internal-only VLANs.
If using a stateful firewall, the security groups might also be stateful. In many cases, this means that an inbound rule allowing an inbound request might allow the response without an additional explicit rule in the Outbound rule set.
5. Eliminate Insecure Ports/Protocols
After defining all your VLANs, repeat what you did for wireless by starting with prohibiting all inbound and outbound traffic, except where expressly allowed. Allowed protocols and ports should only be required ones. Everywhere possible, do not allow insecure combinations like FTP or TCP (20, 21,80,8080).
6. Restrict Source
Advanced segmentation would entail rules that are restricted by source hostname, static IP, or even MAC address. The VLAN rules would block all sources except for the hosts or static IPs that are allowed. For example, accepting only secure TCP/443 and only from a DMZ web server (and not insecure TCP/8080 from a compromised workstation) would be better.
Too Long; Didn’t Read
For the TL;DR crowd, this is summarized as:
- Don’t allow bypassing of security controls within the firewalls, be it wireless or any other traffic.
- Define groups that minimize exposure to critical systems and data.
- DENY ALL first. Accept only expected traffic.
- Start with rules for the DMZ incoming traffic. Then outgoing traffic. Then interactions with internal groups.
Don’t assume your network is designed to be secure. Engage with IT now to ensure that basic network protections are in place. Securing the network will make all your other controls much harder to bypass.
Author: Steve Maxwell
Steve has over 18 years of experience, ranging from software development, software quality, performance engineering, information security, and internal audit. Before TrustedSec, Steve performed a number of functions supporting security initiatives within the retail and healthcare industries. He has presented to and trained hundreds on automation, performance engineering, and attack mitigation techniques.