While it should be understood it isn’t possible to create the perfect IT network infrastructure defence, reducing the attack surface and elimination of unwanted access to network segments significantly reduces the risk of system breach.[2] Using the defence-in-depth security practice of network segmentation, an organisation’s network address space is subdivided into smaller subnets. The network can be physically segmented with routers, firewalls, or more commonly, logically separated by virtual LANs (VLANs) on network switches. These VLAN zones are interconnected with trunk links or Switched Virtual Interfaces between them. There are numerous advantages to implementing this segmented network architecture.
This type of segmentation directly decreases the number of systems on the same network segment and reduces the broadcast domain, thus reducing device network processing and malicious reconnaissance. By limiting routed traffic to segments, the overall bandwidth usage in the LAN is reduced.
The propagation of network worms such as Wannacry and NotPetya over a shared protocol such as SMB is not limited on a flat network as it would be on a segmented network.
Segmentation aids compliance by separating zones that contain data with similar requirements whilst ensuring that systems holding sensitive data are kept isolated.
Network segmentation enables segregation of systems by end-user category groups with facilitation of access control policy at the ingress/egress points. This granulation of security policy can be implemented over time with ACLs at the zone gateway or Firewalls that control the flow for large segments.
Further division of server systems, for example, protects against threat actors easily pivoting from one compromised server to another, such as performing lateral movement with mimikatz pass-the-hash attacks (namely collecting hashed credential data for use on different machines, further explained in references)[5].
Often network segmentation projects can be run with current network equipment.
Facilitate the addition of an untrusted VLAN for NAC Policy enforcement. NAC solutions allow network operators to define policies for enforcement, such as the types of computers or roles of users allowed to access areas of the network. This is then enforced using switches, routers, and firewalls. Implementing an untrusted VLAN segment can protect the network from non-compliant and/or unknown systems.
While it is common practice to move traffic off the default VLAN, good network segmentation divides end devices into VLAN roles. Often a site will create a VLAN segment for servers, a VLAN segment for physical client workstations, and a VLAN segment for Wifi access. As the following illustration displays, network segmentation through separating users’ computers and servers into functional groups offers defence-in-depth. VLAN1 is an isolated server network, each further VLAN represents a department with VLAN5 containing its own departmental server.
Diagram: An example layout of network segmentation with VLANs
While virtual segmentation platform solutions exist that provide zoning automatically, mapping new network segments onto existing networks[3], it’s likely that little additional network equipment is needed to implement network segmentation.
The following would be further considerations when entering into a network segmentation re-design:
Where multiple switches topologies exist, trunk interfaces are required to carry the VLAN traffic between switches. This is common in Access, Distribution and Core layer designs. Stacked switches do however tend to implement this requirement in design using virtual/backplane interfaces, decreasing the amount of trunk interfaces required and lowering the risk of network loops.
Inter-VLAN routing requires implementation via the router default gateway, or if Multi-layer L2/L3 switches are in use, Switched Virtual Interfaces or router VLAN interfaces are used between VLANs inside the switch.
DHCP use within VLANs will require DHCP-relay implementation for those subnets.
One approach, particularly useful for wireless or remote devices, is dynamic VLAN assignment. It is based on the authenticating user’s group membership as managed by a service, usually consisting of RADIUS and a user directory. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client[4]. Once the user is authenticated, packets from his device are assigned to the appropriate VLAN based on rules set up by the administrator.
Flat networks are a security weak point when taking network security design into consideration. The implementation of network segmentation can be achieved through a network redesign that may not require further infrastructure investment, while offering many protection enhancements off the bat. Today, it is considered network design best practice, it reduces an organisation’s attack surface, assists in data compliance, and promotes role-based security.
Over the last year, organisations have started advocating a more modern security model referred to as Zero-trust or the ‘Beyond-Corp‘ model. This devises a perimeter-less network model of user and device validation through public proxy connections for securely accessing an organisation’s resources regardless of user and asset location. This model will be blogged about in the future for interested readers.