Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of network traffic between subnets based on granular policies. Organizations use segmentation to improve monitoring, boost performance, localize technical issues and – most importantly – enhance security.
With network segmentation, network security personnel have a powerful tool with which to prevent unauthorized users and protect static IP addresses, whether curious insiders or malicious attackers, from gaining access to valuable assets, such as customers’ personal information, corporate financial records and highly confidential intellectual property, the so-called “crown jewels” of the enterprise. As a result of the rise of software-defined networking (SDN), these assets are frequently found spread across hybrid and multicloud environments – public clouds, private clouds and software-defined networks (SDNs) – all of which need to be secured against attacks and data breaches. To understand the security usage of network segmentation, it’s first necessary to consider the concept of trust in network security.
In the past, network architects targeted their security strategies at the internal network perimeter, the invisible line that separates the outside world from the data vital to an enterprise’s business. Individuals within the perimeter were assumed to be trustworthy and therefore not a threat. Thus, they were subject to few restrictions on their ability to access information.
However, legacy security infrastructures are generally flat network architectures that rely on a perimeter firewall as their only point of traffic inspection and control. Since network boundaries don’t exist as they used to, and most data center traffic is east-west, traditional port-based firewalls provide limited value in a cloud and mobile world.
Recent high-profile breaches have called the trust assumption into question. For one thing, insiders can indeed be the source of breaches, often inadvertently but sometimes deliberately. In addition, when threats penetrate the perimeter, they are free to move laterally in the network to access virtually any data, application, asset or services (DAAS). With virtually unhindered access, attackers can easily exfiltrate a full range of valuable assets, often before the breach has even been detected (see figure 1).
Figure 1: Lateral movement inside the perimeter under the trust assumption
Because of the inherent weaknesses of assumed trust, many organizations have begun to adopt the Zero Trust strategy. Zero Trust assumes nobody is trustworthy by default, even those already inside the network perimeter. Zero Trust works on the principle of a “protect surface” built around the organization’s most critical and valuable DAAS. Because it contains only what’s most critical to business operations, the protect surface is orders of magnitude smaller than the attack surface of the full network perimeter.
This is where network segmentation comes in. Using segmentation, network architects can construct a microperimeter around the protect surface, essentially forming a second line of defense. In some instances, virtual firewalls can automate security provisioning to simplify segmenting tasks. However it is accomplished, authorized users can access assets within the protect surface while all others are barred by default.
Segmentation is bad news for attackers because, unlike in the days of assumed trust, simply penetrating the perimeter isn’t enough to gain access to sensitive information. Microperimeters, whether physical or virtual, prevent threats from moving laterally within the network, essentially negating much of the work that went into creating the initial breach (see figure 2).
Figure 2: Limited movement inside the perimeter with Zero Trust and network segmentation
Organizations can use network segmentation for a variety of applications, including:
Network segmentation can be implemented as either physical or logical segmentation.
As the name implies, physical segmentation involves breaking down a larger computer network into a collection of smaller subnets. A physical or virtual firewall acts as the subnet gateway, controlling which traffic comes in and goes out. Physical segmentation is relatively straightforward to administer because the topology is fixed in the architecture.
Logical segmentation creates subnets using one of two primary methods: virtual local area networks (VLANs) or network addressing schemes. VLAN-based approaches are fairly straightforward to implement because the VLAN tags automatically route traffic to the appropriate subnet. Network addressing schemes are equally effective but require more detailed understanding of networking theory. Logical segmentation is more flexible than physical segmentation because it requires no wiring or physical movement of components to accomplish. Automated provisioning can greatly simplify the configuration of subnets.
Moving to a segmentation architecture provides an opportunity to simplify the management of firewall policies. An emerging best practice is to use a single consolidated policy for subnet access control as well as threat detection and mitigation, rather than performing these functions in different parts of the network. This approach reduces the attack surface and strengthens the organization’s security posture.