Network segmentation is an architectural approach that divides a network into smaller, distinct sub-networks – or subnets. This allows a company to compartmentalise different areas in its network for increased security and improved performance.
Let’s take a look at network segmentation and how you can use it to make your IT infrastructure more secure.
How does network segmentation work?
Network segmentation works through the process of separating, or segmenting, a network into smaller subnets. A company’s network security team will first group, or segment, its data, applications, assets, and services (DAAS) according to their security requirements, before applying flexible, finely-tuned security policies and controls to each compartmentalised subnet.
Network segmentation cyber security can be implemented:
- Physically: through the use of hardware like switches, routers, and firewalls.
- Logically: i.e., virtually, via virtual local area networks (VLANs).
With network segmentation security controls in place, security teams have much more influence over how traffic flows within their network. They can choose to prevent all traffic from one subnet from reaching another, or restrict it according to its type, source, destination, etc. How security teams decide to divide a network into subnets is called a segmentation policy. By limiting, or restricting, unnecessary communication subnets, a segmentation policy makes a network more secure and efficient by ensuring traffic is only directed to appropriate parts of the network and can’t access critical parts of a company’s infrastructure.
Traditionally, in contrast, network segmentation cyber security strategies mainly focused on the network perimeter: the boundary separating the company’s data and infrastructure from the outside world. This created internal and external segments based on trust, where everything within the network was trusted while anything outside of it was not. Consequently, there are few restrictions on internal resources and if a threat actor were to breach the network perimeter, they were free to move laterally within it and access any of the company’s data and assets.
However, today with the proliferation of mobile devices, the rapid adoption of cloud computing, and the explosion in the use of IoT devices, network perimeters are increasingly blurred. More importantly, the increase in the number, variety, severity, and sophistication of cyberthreats means that entities within a network can’t be automatically assumed trust and given free rein over data and resources.
Network segmentation offers a powerful solution to this problem by enabling security teams to isolate critical data and assets from the rest of the network and establishing granular policies and controls for how they can be accessed and by whom. Subnets also allow companies to implement zero trust security policies, whereby entities within their network are never implicitly trusted and protect their most important DAAS with additional micro-perimeters in light of this.
An example of how network segmentation can be used is for implementing a company’s guest WIFI network. The company’s IT team can create a subnet for guests to log into that provides them with internet access while isolating them from the network’s critical data and applications. This keeps the guest’s devices away from finance and HR servers, for example, which contain sensitive data and needn’t communicate with external traffic.
What is microsegmentation?
Microsegmentation is a type of network segmentation that allows a network to be divided into individual workloads, and where granular security controls are applied to each unique subnet. A workload refers to all the resources and processes required to run an application or service, whether a physical server, operating system, virtual machine (VM) or container.
Now, while network segmentation restricts access between subnets, it lacks the ability to limit traffic between DAAS within a subnet. Subsequently, if a malicious actor managed to breach a particular subnet, the threat would still be contained within that segment of the network – but the actor could still compromise all the data and resources within that subnet.
By placing protective perimeters around each workload, microsegmentation prevents lateral movement between individual network resources, i.e., DAAS. While general network segmentation restricts unwanted “north-south” traffic, from outside to inside the network, microsegmentation also accounts for “east-west”, i.e., workload to workload traffic.
The additional security between workloads that microsegmentation provides is increasingly important as more companies run distributed workloads across cloud environments – and there’s more scope for lateral movement. Similarly, microsegmentation is ideal for dynamic environments, like the cloud, in which workloads like VMs and containers can be deployed in seconds. Microsegmentation allows teams to apply granular security controls to each workload, as soon as its launched onto the network, so applications and services remain secure even as they scale.
How network segmentation can benefit your business
Now you have a better idea of how network segmentation works, let’s delve into the advantages it offers your company.
Protects your IT infrastructure
Firstly, by restricting the flow of traffic, network segmentation makes your IT infrastructure more secure. Network segmentation allows security teams to place more exposed, internet-facing assets, such as web servers, in “demilitarised zones”, or DMZs, isolated from critical internal apps and services. As there’s limited external traffic directed towards sensitive areas of the network, there’s far less chance of them being breached or compromised by cybercriminals.
Limits the spread of a cyberattack
Just as importantly, network segmentation security restricts the damage caused by a cyberattack if one were to take place.
While, a large, flat network presents malicious actors with a bigger attack surface, a series of smaller subnets compartmentalises the attack surface. So, if a cybercriminal breaches your cyber security defences, they’ll only have access to the subnet they managed to infiltrate and their lateral movement within the network traffic will be impeded. Better still, with the implementation of microsegmentation, a cyberthreat can be contained within a particular workload.
Additionally, network segmentation allows security teams to better locate, and subsequently isolate, active cyber attacks before they spread. With their network divided into subnets, it’s easier for security personnel to pinpoint the source of a threat than within a single, flat network topology.
Improves network performance
As well as boosting your network’s cyber security posture, segmentation improves its performance by removing unnecessary traffic from particular subnets and redirecting the remaining traffic more efficiently. Subnets that no longer have to process external traffic will have fewer resources competing for bandwidth and will be more performant as a result. Similarly, segmentation reduces the size of each broadcast domain within the network so the DAAS within each subnet can communicate faster and more effectively.
Additionally, network segmentation results in superior monitoring capabilities, as it enables security teams to introduce more points where traffic can be monitored. At the very least, cyber security personnel will have increased visibility between subnets – while implementing microsegmentation allows for monitoring traffic between workloads.
Types of network segmentation
Now we have a better idea of how network segmentation works, let’s move on to the different ways to segment a network, namely physical and virtual segmentation.
Physical network segmentation involves rearchitecting a network into subnets through devices such as firewalls, switches and routers. This physically changes the network topology with traffic rerouted to different segments of the network through the additional devices.
Physical segmentation is relatively straightforward to implement because the updated network is determined by the architecture. However, the downside of this approach is the cost of the extra hardware, and the larger a company’s network, the higher the cost of implementation.
Logical segmentation creates subnets virtually on the existing network infrastructure through the creation of virtual local area networks (VLANs). Traffic is then routed to the appropriate subnet via VLAN tags stored within data packets that indicate their destination. Alternatively, logical segmentation can be achieved through network addressing schemes, which separate different network resources into layer 3 subnets and use a router to pass data between them.
While logical segmentation is more complicated to implement than physical segmentation, it’s more flexible and cost-effective as it doesn’t require any physical changes to the network’s topology.
The first steps to help your business implement network segmentation
Although the concept of network segmentation and making significant changes to your company’s IT infrastructure can, understandably, appear complex – and even daunting. Fortunately, the process can be made smoother and more cost-effective with the right professional cyber security services partner.
If you’d like to learn more about how network segmentation strengthens your company’s cyber security posture or to discuss best practices for network segmentation, contact RiskXchange.