Network Segmentation - Best Practices

Network segmentation refers to the process of breaking up a computer network (LAN) into smaller sub-networks. There are several reasons for doing this, and several ways of implementing network segmentation, which we will discuss below.

Security, Data and Privacy Protection

Security concerns remain the single most important reason for segmenting a LAN network. When a hacker or malicious software gains access to a company’s LAN, the security exposure is severe. With a “flat” or non-segmented network, the security “blast radius” or “attack surface” (potential for breaches or compromise) extends throughout the entire network. A single compromised device can blast broadcast messages throughout the network, and a group of compromised devices can easily cripple the network. Jumping from host to host or server to server is much easily facilitated when all these devices communicate on the same LAN network. Segmenting the LAN into smaller sub-networks, each defining its own broadcast domain and each controlled by its own security policies greatly reduces the breach blast radius and ideally limits the damage to the infected sub-network.

LAN Performance

Another major motivation behind segmenting your LAN network is LAN performance. When a LAN is allowed to bloat (in terms of hosts, servers, users, applications) the performance naturally suffers, as more and more traffic and resources are demanded by the network. For any decent size organizations this can quickly escalate as the organization builds out. Separate functions and roles force all local traffic onto the same LAN and business-critical, latency-sensitive, and bandwidth-consuming traffic and application flows start congesting the network and bottom-line performance begins suffering.

Separating out corporate functional areas into individual sub-networks is how any enterprise organization should manage their LAN networks. As a general statement, the finance department, human resources, engineering, manufacturing, marketing, etc., do not need access to each other’s data and/or applications and a logical network segmentation helps ensure that compartmentalized data and records are not available to groups of users that do not require them. A properly segmented LAN will then support only the traffic it needs to, keeping congestion to a minimum and overall performance optimized.

Compliance Considerations

Many industries and businesses must guarantee compliance with various government rules, regulations, and standards. Any company involved in health care, or that deal with patient health records must satisfy HIPAA (Health Insurance Portability and Accountability Act) requirements to ensure the data is protected. Any company involved in financial services, or even companies that maintain credit card information for their customers, must similarly satisfy PCI-DSS (The Payment Card Industry Data Security Standard) requirements to ensure that this information in well protected. There are many other regulated industries where demonstrating compliance to government-mandated rules and protocols are essential for the business to operate.

Network segmentation greatly facilitates these compliance checks. When done properly, the segmented networks contain only the data records and workflow absolutely required for the specific, sensitive data being protected. Without segmentation, corporate LANs are much too large, and contain so much extraneous traffic and data that it becomes very difficult (if not impossible), to ensure that the network in is compliance with appropriate regulations. With proper segmentation, while still a very difficult task, ensuring that a particular sub-network is in compliance becomes a more optimized endeavor.

Protecting Vulnerable Hardware

One other subset of general security considerations is using network segmentation to protect critical devices on enterprise networks. Devices such as hospital patient-monitoring equipment or infusion pumps can have extremely dire consequences if compromised. Similarly, as IOT (Internet of Things) continues to expand its reach and becomes more ubiquitous, many networked devices will monitor and control everything from a building’s environmental controls to a city’s traffic lights and security cameras. It is critical that these networked devices reside on the smallest possible sub-network without allowing unauthorized users or applications. Again, this is no small task, but becomes more manageable if the network is segmented properly.

Methods for Segmenting a Network

Let’s discuss five methods of segmenting your LAN network: physical, virtual or software-defined including VLANs and SD-WAN, cloud, and microsegmentation, the latest and most sophisticated of the methods.

Physical Segmentation

Physically breaking up a LAN network into separate networks requires that each segment have its own physical infrastructure, including wiring, switches, and firewalls. This is clearly highly secure, as there is no physical or electrical path between the segments. This is also quite difficult to implement and maintain as fresh hardware, associated configurations, and new cabling is required for any significant change in the network. In general, this simply isn’t feasible in today’s networking reality, due to the cost and time required to implement physically separated networks, but there are cases when physical segmentation is warranted.

Virtual Segmentation via VLANs

Segmenting networks into smaller subnetworks via VLANs has been a common approach for decades, and is still widely used. VLAN segmentation relies on breaking up LAN broadcast domains by splitting up IP addresses via subnet masking into smaller subsets of related addresses. Hosts within the same VLAN can generally easily communicate with other, but communicating with other VLANs requires some sort of network permissions, typically via ACLs (access control lists) and other complex rules that are enforced by the various layer-3 networking devices, firewalls, routers, and switches.

When VLANs are used in coordination with well-placed and well-configured firewalls, the network becomes much more difficult to compromise. Separate VLANs are naturally separated from each other, and firewalling off each (or at least the most sensitive) VLAN can prevent external traffic from entering the subnetwork.

VLANs along with firewalls remain a very powerful, and convenient way to segment a LAN. But there is a lot of work involved in setting up and maintaining ACLs and firewalls. And as network requirements change and evolve, the VLAN infrastructure must be updated accordingly.

 Virtual Segmentation via SD-WAN

The explosion of software-defined networking (SDN) and software-defined WAN orchestration (SD-WAN) over the last decade or so has greatly facilitated network segmentation. Many organizations now leverage multiple WAN transports in order to achieve optimal application performance, particularly in terms of VoIP, teleconferencing, live video streaming, high bandwidth mobile internet, UCaaS, and other mission-critical applications. With this method, the SD-WAN device acts as a virtual overlay over the physical network and the orchestrator (high-level, user-friendly software) allows for traffic marking and filtering to control where traffic is allowed to flow.

Depending on your network requirements, you should be able to easily configure your SD-WAN appliance to create multiple LAN networks/subnets by creating bridge aliases. Adding a bridge alias using a user-friendly GUI will create an additional LAN network, or VLAN, with a desired subnet. Once there are multiple subnets, or VLANs, defined, by using advanced firewall rules you should be able to perform layer-3 filtering between the VLANs. You should be able to allow/block the traffic between subnets, based on a variety of filters like incoming/outgoing interfaces, source/destination IP addresses and ports, and protocols such as TCP, UDP, ICMP, and many others.

Virtual Segmentation via the Cloud

Although not necessarily associated with network segmentation per se, the recent explosion in cloud-based computing, storage, and infrastructure certainly can be considered a form of network segmentation in that it offloads traffic and workflows from a corporate LAN into a cloud-based network. Traffic between your LAN and the cloud can be securely managed by robust authentication protocols and/or through encrypted SD-WAN IP tunnels or VPNs over SD-WAN. This type of hybrid network (part physical LAN in your datacenter and part cloud-based resources) has become extremely popular over the last few years, and this trend certainly figures to continue well into the future. While it may be very convenient for an organization to simply offload processing and/or services to a cloud provider, the organization also loses control over establishing security policies and must rely on the cloud provider to adequately protect their cloud-based infrastructure. SD-WAN technologies are fundamental in connecting office resources to the cloud resources in a secure and performance optimized manner.

Virtual Segmentation via Microsegmentation

And to bring all these techniques and concepts together we’ve arrived at microsegmentation as a means of segmenting a network and preventing so-called “east-west” security breaches, or security vulnerabilities within a given network segment, subnetwork, or VLAN. Perimeter-based firewall appliances are more concerned with “north-south” incursions – outside entities breaking into our network, rather than what happens once the attackers have gained access. Microsegmentation attempts to complete this final piece of the security puzzle.

By using SDN with a virtualized overlay of the underlying physical network, microsegmentation goes beyond simply allowing or denying network access based on IP addresses, ports, and protocols – which is how network security has historically operated. But today’s mobile workforce and cloud-integrated networking environment has required a rethinking of the security paradigm. IP addresses, ports, and protocols are becoming easier and easier to spoof, users may legitimately attempt to access their work networks from different IP address and locations, and cloud-based resources can make it extremely difficult to isolate specific traffic flows in order to determine trust.

Microsegmentation increasingly relies on the “zero-trust” model for network security. Historically, once an entity was allowed through a network firewall, it was assumed that the entity was trusted and was given broad privileges within a given subnetwork. Microsegmentation assumes that no entity (user/host/server/web app/traffic type) is inherently trustworthy, unless it is explicitly tagged as trustworthy and therefore allowed. Security policies are implemented at the workflow or application level, rather than the network level, and hence, microsegmentation is sometimes also referred to application segmentation or host-based segmentation.

Microsegmentation requires sophisticated analysis of all the traffic/users/hosts/severs/web apps that take place amongst the on-premises datacenter, corporate networks, workstations, laptops, mobile phones, and public/private/hybrid clouds in order to establish the trust relationship. State-of-the-art tools attempt to automate this process by analyzing all the telemetry involved in a given workflow. Once this mapping is accomplished (and verified), security policies can be developed such that only allowed resources can interact with the workflow environment. These resources can be identified not simply by IP address, but also by their interconnectivity and dependence with other resources. Once a resource or identity is verified and granted “trust”, it is highly unlikely that unwanted traffic is traversing the workflow, or contaminating the application or host.

For scalable microsegmentation, some of the inspection and detection technologies can be deployed in a centralized location, such as the private cloud or data center. All or specific classes of IP traffic can then be funneled through that centralized service point via SD-WAN overlay tunnels. Since modern SD-WAN solutions support cloud based service chaining, this creates a clean and scalable zero-trust architecture.

 

In Summary

While a non-segmented (or flat) network is much easier to manage from a system admin point of view, flat LAN networks are only acceptable for the smallest of businesses. The vast majority of enterprise networks already use network segmentation for the critical advantages it provides, including:

  • Improved Security
    • Network traffic can be isolated and/or filtered to limit and/or prevent access between network segments.
    • Better access control to only allow authorized users to access specific network resources.
    • Better threat containment to limit the attack surface to the local subnet.
  • Improved Performance
    • With fewer hosts per subnet, local traffic is minimized. Broadcast traffic can be isolated to the local subnet and only necessary and required traffic is present.
  • Improved Monitoring
    • A smaller subnet with a well-defined scope makes it much easier to log events, users, traffic flows, and detect suspicious behavior.
  • Reduced Compliance Scope
    • Segmentation reduces the number of in-scope systems, thereby limiting costs associated with regulatory compliance.

So, the benefits and advantages to having a properly segmented network are critical for most enterprises to conduct day-to-day business as well as for planning and implementing future network expansion. However, network segmentation also requires a lot of work both upfront and ongoing, and imposes significant burdens on the enterprise. Time, money, and effort are required for all types of network segmentation to invest in new tools and new ways of thinking about network security and performance. With hundreds or thousands of routers, firewalls, switches, and other networking devices each requiring configuration, the potential for mis-configuration is very high. Software-defined overlay networks help manage and simplify much of the configuration. Microsegmentation (application segmentation or host-based segmentation) relies on zero-trust models to ensure only authorized entities (users/hosts/devices/apps/traffic) have access to a particular subnetwork, but it requires state-of-the-art tools and training to map out and make sense of all the telemetry involved in a given workflow spanning corporate LANs, WANs, and public/private/hybrid clouds.

 

Rob Stone, Mushroom Networks, Inc. 

Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.

https://www.mushroomnetworks.com

 

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2004 – 2021 Mushroom Networks Inc. All rights reserved.

Let’s chat. Call us at +1 (858) 452-1031 or fill the form:

Get your WAN Cheat Sheet

Download your copy of rare tips and tricks for a better WAN. Get your free copy today!

We respect your privacy.