In a previous article, The Perimeter is Dead, Long Live the Perimeter, we outlined the importance of keeping bad actors outside of your network, but also touched upon the fact that not all bad actors reside outside of your organization’s walls. In another fantastic article, Insider Threats: The Threat Down the Hall, we discussed internal threats, which are a concern to all organizations. Often overlooked is the security of the backbone to your organization: The Network.
You likely have one or more of these technical solutions in place to help notify you, or act against, common threats from the outside:
- Web Content Filtering
- Spam and Malicious Email Filtering
- Data Loss Prevention (DLP)
- Intrusion Detection System (IDS)
- Intrusion Prevention System (IPS)
For many small to medium businesses these features are incorporated into appliances or other platforms, Microsoft Office365 can be leveraged to provide your organization with both Email Filtering and DLP, your Unified Threat Management (UTM) Firewall can also be leveraged to provide IDS, IPS, and Content Filtering. While these technologies can help prevent perimeter threats, they rarely have any impact on the inside of your network, so what tools can Small to medium businesses use to protect their sensitive data within the confines of their local network? Are any of the equipment or systems that are already in place be leveraged to provide this functionality?
Often “The Network” is seen as an abstract ethereal being (after all, it’s often represented as a cloud on network diagrams) however “The Network” is no more abstract than “The Office”. You likely already track visitors, have secure areas, not all employees are permitted, and may even use RFID badges for access. If so, you are effectively segmenting your office.
At a high level, your network can be segmented by data classification (restricting access based on a need to know) or by role/function (restricting access based on the device, person, or organizational unit). For many small to medium businesses, it can be burdensome to classify all data residing on the network because frankly, it can be difficult to simply identify all of your data (for example: do you know what kind of data is stored on each employee’s workstations?). Because of this, I’ll focus on attempting to segment a typical small to medium business network based on role, the challenges and intricacies of data classification warrant another series of articles and is a prerequisite to segment your network by classification.
At a minimum, the average small to medium business should have a breakdown similar to this:
- Guest Wireless
- Corporate Wireless
- Voice and/or Internet of Things (IoT) Devices
- Device Management
Likely, you are already segmenting your Guest Wireless network from your servers, after all, third parties should never be able to communicate with your servers without supervision. However corporate wireless devices are often treated the same as wired devices, while this can make it easy for you to use your laptop wireless in a conference room it also makes it easy for an employee to connect their smartphone (that likely isn’t fully patched and may contain malicious applications) to the network they know. Similarly, your Servers and Workstations have different network access requirements; your employees
Voice and IoT Devices
Often overlooked when planning for network Segmentation are Voice and IoT devices, in today’s information age we often fail to recognize that the phone on your desk, your security cameras, and even that smart speaker are fundamentally no different than the device you’re using to read this article. Each of these devices runs its operating system, complete with its applications and security vulnerabilities. Because these devices are often neglected when applying updates (and manufacturers tend to take much longer to address security vulnerabilities in these devices) it is crucial to ensure that these devices are not permitted to communicate with sensitive systems that are not required for the functionality of these devices.
Servers and Network Equipment
Lastly, your servers and network equipment likely contain dedicated connections that allow IT administrators to securely configure and manage these devices, while these devices may also suffer from the same risks associated with Voice and IoT devices it’s also important to make every effort to only allow authorized parties to access these services. This can be as simple as instructing the firewall to only allow administrative connections from dedicated computers but is often more effective to create a dedicated network used only for the management of systems.
How to Segment Your Network
But how do we separate these networks? Operating six unique networks must surely require six times the equipment and significantly multiply the complexity of the server rack, right? Most Small to medium businesses likely already have the necessary equipment to facilitate network segmentation and are already leveraging similar technologies already: Virtualization.
Virtual Local Area Networks (VLANs) are logically separate networks that operate on the same physical hardware in much the same way the server virtualization using VMWare ESXi or Microsoft Hyper-V can be used to logically separate operating systems and servers on the same physical hardware. This can facilitate allowing guests to use your existing wireless infrastructure securely as previously mentioned. Using VLANs you can provide additional barriers between resources within the organization and crucially restrict access between these networks and provide additional data for any Security Monitoring solution. At a high level, you assign VLANs to physical connections, and these connections can be assigned multiple VLANs, this corresponds to the network port on the wall and thus the device plugged into it.
For network segmentation, you may opt to restrict access in the following manner:
- Permit your Workstations to Communicate with the Server VLAN but not with other Workstations or the Wireless vLANs
- Deny your Voice/IoT vLANs communication to your Workstations, Wireless Devices, and possibly even Servers
- Only permit specific Workstations or Servers the ability to communicate with the Management Network
Your specific implementation does need to be carefully crafted to your needs to ensure your organization is still able to function, and this process may require updates to your hardware. But what if you’d like to implement less drastic controls, or further enhance your overall network security after you’ve segmented your network? Learn more in our article to follow: Implementing Network Security: Part II