Network Segmentation


Network Segmentation

Network Segmentation Solutions for:

> Network Security

> Network Segmentation for PCI Compliance

> Segmentation for Virtual Networks

> Zero Trust Approach to Network Security



Recent headlines around data breaches have highlighted a common security mistake – improper network segmentation.

If an attacker wants to get into your network, they will find a way. So you don’t want a single point of failure or an open network. Once unauthorised access is gained, network segmentation or “zoning” can provide effective controls to mitigate the next step of a network intrusion and to limit further movement across the network or propagation of a threat.

By properly segregating the network, you are essentially minimising the level of access to other systems and sensitive information for those applications, servers, and people who don’t need it, while enabling access for those that do. Meanwhile you’re making it much more difficult for a cyber-attacker to locate and gain access to your organisation’s most sensitive information.



Regulatory Guidance and Best Practices


Standards such as PCI-DSS provide guidance on creating clear separation of data within the network – in the case of PCI, cardholder data should be isolated from the rest of the network, which contains less sensitive information. An example would be to ensure that Point-of-Sale (PoS) systems and databases are completely separated from areas of the network where third parties have access. In this example a PCI Zone would be created with stringent constraints allowing connectivity for as few servers and applications as possible.

Some organisations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect your traffic for threats.



Routes to Achieve Proper Segmentation

Traditionally Firewalls and VLAN Switches provide a route to partition the network into smaller zones, assuming you have defined and are regularly reviewing, maintaining and enforcing a ruleset which controls the communication paths.

A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone. Anything designated in the PCI zone, for example, should be isolated from the rest of the network as much as possible – without impacting the overall business. 



Here are a few, but not an exhaustive list of tips to consider:
  • Implement controls at multiple layers within the network architecture. The more layers you can add at each level (e.g. data, application, etc.), the harder it is for an attacker or unauthorised user to gain access to sensitive information. Of course this has to be manageable from an operations standpoint and it can’t be to the point where business processes come to a grinding halt.
  • Apply the rule of least privileged. For example, a third party vendor may need access to your network, but they most likely don’t need access to certain information. Access should only be provided to the user or system that is absolutely needed and nothing else.
  • Segment information access based on your security requirements. Define your different zones based on where your sensitive information resides. For example, you want to make sure that sensitive information isn’t easily accessible by a third party that has no need for this access. Take a step back when looking at your network architecture and determine if there’s unnecessary access or too restrictive access in different places. You may be surprised by what you see.
  • Leverage a whitelist or hybrid approach. Instead of trying to block all of the bad things out there, which puts you into a never-ending game of cat and mouse, define what you know to be acceptable communication paths and block everything else.


A common challenge is that building a large matrix with many semi-segregated zones, setting a policy for allowed traffic between zones, and enforcing it is not trivial. If you can get to this point, most likely it requires all or mostly manual processes and a ton of effort – especially with the typical amount of security changes that must be processed on a regular basis.

Security changes can impact a defined policy over time as an unintended consequence and automating the security change process around network segmentation policies can ensure these policies are continuously enforced and validated every time a change request is made.




> Network Segmentation v Software Defined Networking (SDN)

Securenet Consulting network security solutions incorporate coverage of both physical (Network interface cards and ports) and logical (data packet / software path for network, server, application and data access).

SDN only addresses the logical management of access. 




> Reduce Network Complexity

Network segmentation is becoming increasingly necessary as the threats of data theft and attacks on critical systems continue to grow.

Our access control gateway solutions are in their purist nature a true firewall, blocking everything - it is not allowing anything to pass between its interfaces. Access is only granted providing a user meets all the pre-determined context-based policy criteria.

This reduces complexity by not needing to purchase anymore VLAN switches, internal network firewalls or spend time administering limited policies and rules on numerous disparate devices across your network - making it easier to centrally set up and manage secure separation for all critical systems, based on any platform – Windows, Linux, UNIX, virtualised, while also enabling essential connectivity and secure access for authorised users – all from one centralised platform.




> Simplify Networks & Protect Core Systems


Internal security domains or segments can be created, removing the need to change the network architecture to protect critical assets such as development data or PCI at-risk servers from unauthorised access.

Encryption, authentication and access control engines deliver a high level of secure separation and protection whilst also providing the flexibility to modify internal segment (switch) configuration and connectivity options quickly and easily.

Network traffic is encrypted as standard giving each user a private, secure connection and preventing other users sniffing data. Unauthorised, unencrypted traffic is blocked automatically.




> Say goodbye to VLANs

Traditionally VLANs are used to segregated critical systems and users from each other. However creating and managing VLANs in switches makes segregation very complicated - until now I.T. has had no other way to segregate users and networks.

With our network gateway system you can remove all VLANs from cumbersome and expensive switch infrastructure – reducing risk, cost, complexity and administration overheads.




> High Performance Network Segmentation

The simplified one system platform architecture can support and process millions of firewall and network segmentations rule sets, running in a cluster. 




Compliant Segmentation

PCI, SAP, SCADA

Internal security domains can be created to protect critical assets. Segment your critical and compliance controlled servers and data from the rest of the network and users. For example, PCI at-risk servers, SAP or SCADA networks.

Another benefit is that it firewalls any device connecting to the network, preventing the potential spread of any viruses or an attacker who may have compromised that device to stage an attack.




Reduce Audit Costs & Time


By segmenting your critical servers and data, you reduce the scope of audit compliance – thus reducing the auditor consultancy time and costs. 




Reduce Infrastructure Costs

Remove the need to change or add additional hardware solutions (VLAN switches or firewalls) to the network architecture in order to isolate critical systems.

Allows for both virtual and physical segmentation of networks.

The firewall /access gateway server can support multiple secure domains on the network, including virtual servers. All traffic from users to application servers on these networks will be checked and controlled.

Removing the VLAN configurations from the network switches, enables the business to carry out switch upgrades much more easily and quickly. Having to re-configure VLANs on switches can take months – time business and audit might not be able to afford. For example, some companies have thousands of VLANs within a network, this one fact on its own, lets them have one flat network on the back and front end, making jobs like switch upgrades much easier.




Segmentation using Encryption

End-to-end encryption provides compliance level segmentation automatically.

Network traffic is encrypted as standard giving each user a private, secure connection and preventing other users sniffing data. Unauthorised, unencrypted traffic is blocked automatically. 

 


Multi Tenancy Environments


A variety of means for supporting multi-tenancy in cloud environments, including Layer 3 approaches and an innovative native Layer 2 solution.

Public and private cloud providers need to deploy and support componentised, virtualised workloads quickly, securely, and scalably, on a per-tenant basis. Traditional Virtual Local Area Networks (VLANs) can be used for this purpose up to a point, but limitations on VLAN scale, the complexity of configuring large numbers of VLANs, and overlapping VLANs restrict their usefulness in larger data centres.




Segmenting Virtual Networks


For the past 20 years, network architects have used segmentation strategies to make their networks more manageable and secure. Deploying firewalls between servers with different purposes or trust levels has long been a “must have” for any production network - especially those intended to rise to the level of Payment Card Industry (PCI) compliance.

The rise of virtualisation has caused some network designers to rethink the need for network segmentation. Virtual environments seem to naturally lend themselves to the use of large, flat networks. vSwitch, the basic virtual switch provided by VMware, does not even support Layer 3 (L3) functionality, so that - absent other technology - Virtual Machines (VMs) within a hypervisor are not isolated or segmented. Some engineers are even calling for an end to the use of 3-tiered networks altogether.







Contact us today to discuss your requirements in more detail.



P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk