top of page
Search

Network Segmentation: You Shall Not Pass!

  • Writer: CyberSecurity Simplified
    CyberSecurity Simplified
  • Sep 25, 2022
  • 4 min read

Written by Jean-Camille LOISEAU | Published 25 September 2022


With multinational companies relying more than ever on their computer networks to conduct business operations, the importance of network security cannot be overstated. For example, the threat of ransomware spreading through unsecured network was demonstrated several times over.


According to a report by IBM, data breach costs rose from 15% in 3 years to $4.45 million USD in 2023*. These rising costs —and the expansion of remote work — mean that network too must beef up its security to achieve 3 core goals: 1. Secure the network perimeter to reduce exposure, 2. Avoid contamination between internal perimeters, and 3. Improve detection and Response capabilities.


Network security segmentation divides the corporate network into smaller, isolated and controlled segments or “zones”. Each segment is designed to have limited communication with other segments on a need to basis, which can be controlled based on specific security policies. In addition, each zone access points can be shut off at a moment’s notice to either protect them or quarantine that zone from the rest of the network: that’s your “red button” strategy.

This approach provides a defense-in-depth strategy to mitigate the risks associated with malware and intrusions.


Ideally the implementation of the Network Security Segmentation and zoning must be done in a manner that enable isolated segments to continue to work independently. For example, you may want to implement a red button approach to a territory or country where the firm operates in order to allow the staff there to continue working while fully segregated from the wider network.

The zoning strategy you establish should enable isolation of the following perimeters:

  • Internet exposed assets supporting internet facing services (with a DMZ)

  • Production servers

  • Non production servers

  • User, end user assets and their LAN (workstation, office)

  • Other office assets such as printers, scanners, phones

  • Assets under regulatory constraints

  • Technical LANs for technical equipment (CCTV, air conditioning, lights)

  • Countries network (For the company to segregate a geography network from others)

  • Business Network (For the company to segregate a business network from others)



Within the broader network, various security perimeters can be defined. At a minimum, companies should isolate the critical servers and assets that are exposed to the internet and untrusted networks and all network flows from the outside of the company be secured by a DMZ. It is also paramount to implementing Network Intrusion detection systems (IDS) and intrusion prevention systems (IPS) solutions along with stateful firewalls to keep everything at bay goes a long way along with regular security posture controls. In addition. terminated in a DMZ


You should also establish dedicated and fully segregated Production and Non-Production zones, each with its own level of security. Production zones, is where critical business applications and data reside. It must have the highest level of security and be fully isolated from less critical non-production zones, including the “prod like” validation environments. This isolation ensures that no connectivity exists between the prod and non-production servers for an application and even if a breach occurs in a less critical zone, the core assets of the organization still have a degree of safety.


Next in line to be isolated are the users themselves and the assets they use. It is no secret that users are one of the primary causes for security incidents. For example, if a bad actor gains access to your network by compromising a user account, they will attempt to move around the network to access and exploit sensitive data. By zoning out the users, you make it difficult for unauthorized users to compromise the entire network.


Obviously, Network segmentation is not a one-size-fits-all approach. You must tailor your segmentation strategy to the specific needs, users and resources in your network. Access control and segmentation policies should be defined based on user roles, privileges, and the sensitivity of the resources they need to access. This model ensures that the right people have access to the right resources, and unauthorized access is minimized.


Effective network security segmentation also relies on robust network detection capabilities. As mentioned earlier, IDS/IPS play a vital role in identifying and responding to suspicious network activity. These systems can identify anomalies, malicious traffic, and unauthorized access attempts. When suspicious activity is detected, the IDS and IPS act as behavioral gates and can trigger automated responses or alert security personnel for further investigation and action by Computer Security Incident Response Teams (CSIRTs).


You should complement this detection abilities with the capability to take and isolate or disconnect a segment from the rest of the network in the event of a security breach or suspected compromise. This isolation can prevent lateral movement of attackers within the network and limit the scope of potential damage. The "red button" concept is essentially an emergency shutdown or quarantine feature that can be activated when a security incident is detected, allowing your network administrators to contain the threat swiftly and protect critical assets.


This red button strategy should be implemented carefully and ideally enable the various users, technical, applications or even country and business network to continue to operate with a degree of autonomy.


Last but not least, it is important to establish a list of potentially risky or unnecessary ports and protocols your organization should enforce strict controls around. The objective here is to further reduce your attack surface and limit potential vulnerabilities.


Allowing unauthorized or unmonitored protocols can introduce security risks even if Network security segmentation is otherwise implemented. They may be exploited by malicious actors to gain access or move laterally within a network. By proactively monitoring and preventing the use of these forbidden protocols, you can enhance your organization’s security posture, and further safeguard sensitive data.

Here are some examples of Protocols to look out for:

  • EXEC (+R/K): TCP512

  • FTP: TCP21

  • IMAP4/1MAP: TCP143 + TCP220

  • LOGIN (+R/K): TCP-513 + TCP-UDP541 + TCP-UDP543

  • MySQL: TCP3306 + TCP33060

  • Netbios: TCP137-139

  • NFSv1: TCP-UDP2049

  • NTLM: UDP137-138

  • Oracle-Listener: TCP1521

  • POP: TCPIIO

  • PostgreSQL: TCP-UDP5432

  • SMBv1 (CIFS): TCP445

  • SMTP: TCP25

  • Telnet: TCP23

  • VNC: TCP5500 + TCP5800 + TCP5900-5901


Network segmentation is a critical strategy to adopt in the face of constant and evolving cyber threats. It helpsmitigate the risks of malware and intrusion propagation and minimize their impact. Employing capabilities of network detection and efficient network isolation, as well as defining user and resource perimeters and isolating critical zones, organizations can create a robust defense-in-depth security architecture.


This is the key to safeguard the servers and data. Network security segmentation should be a fundamental component of any comprehensive cybersecurity strategy, and its importance cannot be overstated in protecting the modern enterprise.


Sources:

* https://www.ibm.com/reports/data-breach

 
 
 

תגובות

Post: Blog2_Post

©2021 by Cybersecurity Simplified. Proudly created with Wix.com

bottom of page