Network segmentation splits computer networks into smaller networks or segments. The goals of this approach to network architecture include enhanced performance and improved security.
This does not necessarily mean that each segment is completely isolated. A segmented network can allow certain types of data to move from one segment to another. It can be set up to allow the transfer of information between specified source networks. The decisions made in this regard are known as a network segmentation policy.
As simple examples, an educational organisation segments student devices and administrative systems, or a healthcare organisation isolates sensitive patient data through network segmentation.
Types of Network Segmentation
Physical Segmentation
Physical segmentation is achieved by separating networks at the hardware level. For example, if a network is based in a single location, this can be achieved using physically separate switches, an approach that differs from virtual local area networks (VLANs).
This type of segmentation is often used to separate IT environments (connected, non-autonomous systems run using mainstream operating systems) and OT environments that are autonomous and operate using proprietary software. Certain segments may access the internet, while a particularly sensitive segment may be “dark,” i.e., it does not have regular internet connectivity.
Virtual Segmentation
Virtual segmentation (logical segmentation) approaches include the use of software features within switches, or a stack of switches, to manage virtual networks. Access control lists (ACLs) and routing policies control the movement of traffic and implement access control. However, firewalls must still distinguish between trusted traffic from inside and untrusted traffic from outside networks. VLANs alone are therefore not sufficient as an internet boundary security measure between trusted and untrusted zones.
Benefits of Network Segmentation
Enhanced Threat Management
Hackers generally begin by compromising a device or devices. They then initiate lateral movement through networks in an attempt to compromise more devices and perform wider reconnaissance. By controlling the policies between network segments, this movement can be limited.
Stricter Access Control
Because the network segmentation policy creates a set of rules that go beyond role-based access for accessing network segments, it is possible to implement even more effective access control. For example, if a device has outdated anti-virus software or its firewall is not enabled, its user will be unable to access the network. Instead, it may be allowed to access a guest network that enables the user to apply updates or enable the firewall.
Improved Network Performance
Quality of Service (QoS) standards prioritise and manage traffic so that critical applications have access to sufficient bandwidth. Since network segmentation isolates traffic, it reduces the amount of competition for network resources, reduces latency, and improves performance.
Regulatory Compliance
Besides this, data protection laws specify that sensitive data should only be accessible to a limited number of authorised users. Network segmentation forms part of your data protection system and facilitates compliance.
Network Segmentation Best Practices
Good principles and intentions can fail because of poor implementation. To avoid this, implement network segregation best practices. This includes:
- Having clear objectives for what segmentation should achieve. The overall aim should be to protect networks without introducing too much complexity. The specifics will depend on the organisation, what it does, and the data it handles.
- Zero-trust principles are the foundation of network segmentation best practices. There should be continuous authentication to verify that users and devices are allowed access to networks. In addition, these users and devices must only have the permissions they need to perform their tasks.
- Isolation of network segments enforced through role-based access control (RBAC). Once a user or device is authenticated under zero zero-trust architecture (ZTA), it follows routing rules that control network permissions. Routing policies will only allow the user to access appropriate network segments.
- Avoid under-segmentation or over-segmentation. Either of these is an error. Under-segmentation may limit security isolation and affect functionality and performance. Over-segmentation can result in a larger attack footprint. A hacker may find lateral movement easier, affecting more devices.
- Monitoring networks and recording all network activity (logging) is essential. Visibility gaps can provide an attack surface that can be easily exploited. Automated network monitoring and maintaining activity logs enable rapid threat detection and response.
- Regularly reviewing and auditing networks to ensure compliance and appropriate network configuration will also be important.
- Preparing an effective cyber security incident response plan ensures that your team can react promptly if a breach occurs despite your best efforts to create secure networks. These plans must be reviewed and adjusted to prepare for emerging threats and to prevent the recurrence of any incidents that occur.
- Provide employee training so that everybody understands their role in cyber security. Network segmentation can help to counter attacks and limit damage, but your employees should not be the weakest link in your network security.
How Advantex Can Help
Your aim is a robust IT system, and Advantex achieves it with its access to cutting-edge technologies from best-in-class global partners. We offer tailored solutions that take your organisation’s unique needs into account. Our partners include Cisco, Cisco Meraki and HPe, and our commitment to reliable and secure connectivity has made us a preferred provider for organisations across industries.
Our team acts as your outsourced IT specialist, offering you 24-hour access to highly-skilled technical and cyber security personnel. Thanks to round-the-clock monitoring, we can identify anomalies, often before they become real problems, and in the event of a cyber attack, flood, or fire, our data backup and recovery capabilities get your systems back up and running quickly.
Helping you to achieve effective network segmentation is only part of what Advantex can do for you. Contact us today to find out more about our network and infrastructure solutions and our comprehensive suite of IT services.
