Simply put, network segmentation is the act of dividing a computer network into smaller physical or logical components.
Two devices on the same network segment can talk to each other directly. For communication to happen with devices on a different segment, traffic must flow through an external demarcation point (typically a router or firewall). This provides an opportunity for traffic to be inspected or security policies to be applied, increasing overall security.
Network segmentation is one of the best mitigations against data breaches, ransomware infections, and other types of cybersecurity threats. In a properly segmented network, groups of end devices like servers and workstations have only the connectivity required for legitimate business use. This limits the ability of ransomware to spread or an attacker to pivot from system to system.
Yet far too many organizations operate an unsegmented or “flat” network. Which is why we’re now going to explore:
- How Network Segmentation Is Implemented
- Benefits of Network Segmentation
- Who Needs Network Segmentation
- Network Segmentation Challenges and New Approaches
How Is Network Segmentation Implemented?
There are many ways to effectively segment a network, but Virtual LANs (VLANs) and subnets have traditionally been the most popular.
- A VLAN is a logical construct that separates traffic at the switch level.
- Subnets, on the other hand, operate at the IP address and router level.
The two are frequently used together in a one-to-one fashion.
There are many different approaches to network segmentation design. It’s common for companies to section off portions of a network by business department, assigning different VLANs to finance, engineering, and so forth. Traffic between departments can then be inspected or restricted based on business requirements. Access to an internal HR database, for example, could be limited to only those devices on the HR subnet or VLAN.
Another common approach involves deploying different zones with varying security requirements. Servers and databases, for example, are commonly placed into a “demilitarized zone” (DMZ) with much stronger security measures than other parts of the network. This can prevent a malware infection on a company workstation from spreading to servers hosting critical data.
Want more insight into data security trends? Download our in-depth data breach statistics report.
Segmentation can also be based on device type. IoT devices are commonly placed on their own network partition to increase security. In a healthcare setting, for example, X-Ray machines and other connected medical devices might be kept separate from the rest of the network. Different approaches to segmentation can be mixed and matched, depending on technical and business requirements.
What Are The Benefits of Network Segmentation?
The design of a network plays a key role in how effectively an organization can defend against, identify, and recover from security incidents. Statistics on data breaches show that threat actors have become adept at breaching the “perimeter” of a network where defenses are traditionally located. A well-compartmentalized network comprising isolated network segments can limit the ability of an attacker to move laterally and “pivot” from system to system.
To understand the risks of an unsegmented or flat network, we can look at the real-world example of Target’s 2013 data breach.
According to news reports (KrebsOnSecurity), the breach began when an employee at a refrigeration contractor used by Target fell for a phishing email. After compromising the contractor’s systems, the attackers went after a vendor management portal Target used to handle third-party invoicing.
From here, they were able to move laterally through Target’s internal network, eventually managing to install malware on point-of-sale (POS) terminals throughout the company’s stores. In the wake of the attack, Target implemented enhanced segmentation to prevent the kinds of lateral movement that attackers took advantage of.
Effective network segmentation can also make it easier to spot signs of an attack. It’s not uncommon for a company’s Intrusion Detection System (IDS) to generate so many alerts that many go uninvestigated.
By concentrating resources in more sensitive portions of the network, security teams can prioritize incidents likely to have the biggest impact to the organization. Traffic flows between different network segments can also be monitored for patterns, with unusual activity potentially indicating an attack.
Who Needs Network Segmentation?
Organizations of all types and sizes can benefit from a well-designed network, but good segmentation is especially important in certain industries.
- Healthcare providers: Healthcare organizations must take care to safeguard sensitive patient data, and so may choose to carve out high-security slices of their network to store medical records.
- Retailers: PCI network segmentation is important for retailers and involves strictly controlling access to parts of the network where cardholder data is processed.
Another common use case for network segmentation is to provide access to guests or visitors. The traffic from the guest VLAN or subnet is kept separate from the rest of the corporate network, ensuring visitors can’t access company data.
Network Segmentation Challenges and New Approaches
The traditional approach to network segmentation – dividing the network into VLANs and subnets – requires a great deal of manual effort and doesn’t scale well.
Network architects must carefully decide which resources belong on the same network segment, and come up with appropriate security policies to govern communication between segments. Engineers must then program all of the impacted switches, routers, and firewalls, a painstaking and often error-prone process. In complex environments that have existed for years, implementing network segmentation best practices may be impossible without disrupting business operations.
To address these issues, IT leaders are turning to new approaches like microsegmentation and software-defined networking (SDN). These approaches decouple the enforcement of segmentation policies from the physical network infrastructure, allowing more granular control and easier administration.
- Microsegmentation allows control of network traffic down to the application or workload level.
- SDN can enable multi-tenancy by presenting different virtual networks to different customers while utilizing the same underlying physical infrastructure.
Both microsegmentation and SDN are increasingly being used to implement something called a Zero Trust Model. In this model, users and devices are considered untrustworthy by default, even if they are already inside the corporate network. To become “trusted” and gain access to network resources, the device or user must meet certain conditions, such as undergoing a virus scan or completing Two-Factor Authentication (2FA).
Whether you’re trying to achieve PCI compliance or simply enhance security in your organization, network segmentation is an important part of a broader information security program. The Varonis Data Protection platform can help you identify the parts of your network where important data is being stored so you can build an effective segmentation strategy. Want to learn more? Schedule a 1:1 demo today!
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Robert is an IT and cyber security consultant based in Southern California. He enjoys learning about the latest threats to computer security.