Segregation of networks

Share: TwitterFacebookPinterestLinkedin

When managing large networks, it can help to devide them into segments. Each segment can have it’s own ruleset. For example, you might want to separate your workstations from your servers. Segmenting your network does not only help the network administrators, but it also boosts your resilience in case of a cyber attack as boundaries prevent an attacker to access other parts of the network.

Segments are created by placing a set of systems within a virtual local area network (or VLAN). The VLAN is normally configured at a firewall. The firewall determines which data is allowed to travel from segment to segment.

You can segment a network in many ways. In general the following segments are normally setup:

  • Front-End or Demilitarized Zone (DMZ)
    This segment contains all systems that require an external connection. Normally this would be servers that provide websites, file sharing services (like SFTP) or API functionality
  • Middel-ware
    In this segment you can find the applications and services.
  • Back-End
    This segment contains the data, like file storage and databases.
  • Workstations
    All workstations, like laptops, PC’s or mobile devices reside on this segment.


How

There are a couple of solutions for segmenting a network. Normally the segmentation is done thought a combination of the following options:

VLAN
You can segment a network using VLANs and subnets. VLANs are smaller network segments used by virtual machines. Subnets use a set of IP addresses which are connected to network devices.

Firewall
Firewalls are a way to segment larger parts of a network. Firewalls are also used to separate your network with the network of your Internet Service Provider.

Software Defined Networking
SDN is a relative new way to segment a network. It provides a dynamic network configuration and improve performance and monitoring.


Risks

Minimize access within and across your network. Not everyone needs access to every part of your network. This includes your employees, but also third-parties.
When you have segmented your network, do not forget to audit and monitor your network.
Access requests to the network segments should be handled fast and simple. Make sure that following the correct procedures is helpfull and going around the procedures is not.
Don’t over do it. Having to much different segments can make your infrastructure to complex and harder to manage.


Example Control Ruleset

When the following controls are used, you should be compliant for this topic:

  • Network segmentation is setup between production, acceptance, test and develop environments
  • Network segmentation is setup between the user network and the server network
  • Network segmentation is setup between front- middle and backend systems
  • Web Application Firewalls are within Cloud IaaS solutions
  • External connections must use a firewall


Related links

Implement network segmentation on Azure
Implement network segmentation on AWS