Last updated: 
2 months 1 week ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

The advantages of network segmentation

Monday, July 9, 2018 - 09:24

Running traditional flat networks is now an ageing model and it is an outdated assumption that everything on the inside of an organization’s network should be trusted.[1] By segmenting a network and applying appropriate controls, we can break a network into a multi-layer structure that hinders threat agents or actions from reaching hardened systems and restricts their movement across the network.

While it should be understood it isn’t possible to create the perfect IT network infrastructure defence, reducing the attack surface and elimination of unwanted access to network segments significantly reduces the risk of system breach.[2] Using the defence-in-depth security practice of network segmentation, an organisation’s network address space is subdivided into smaller subnets. The network can be physically segmented with routers, firewalls, or more commonly, logically separated by virtual LANs (VLANs) on network switches. These VLAN zones are interconnected with trunk links or Switched Virtual Interfaces between them. There are numerous advantages to implementing this segmented network architecture.

Advantages

  • This type of segmentation directly decreases the number of systems on the same network segment and reduces the broadcast domain, thus reducing device network processing and malicious reconnaissance. By limiting routed traffic to segments, the overall bandwidth usage in the LAN is reduced.

  • The propagation of network worms such as Wannacry and NotPetya over a shared protocol such as SMB is not limited on a flat network as it would be on a segmented network.

  • Segmentation aids compliance by separating zones that contain data with similar requirements whilst ensuring that systems holding sensitive data are kept isolated.

  • Network segmentation enables segregation of systems by end-user category groups with facilitation of access control policy at the ingress/egress points. This granulation of security policy can be implemented over time with ACLs at the zone gateway or Firewalls that control the flow for large segments.

  • Further division of server systems, for example, protects against threat actors easily pivoting from one compromised server to another, such as performing lateral movement with mimikatz pass-the-hash attacks (namely collecting hashed credential data for use on different machines, further explained in references)[5].

  • Often network segmentation projects can be run with current network equipment.

  • Facilitate the addition of an untrusted VLAN for NAC Policy enforcement. NAC solutions allow network operators to define policies for enforcement, such as the types of computers or roles of users allowed to access areas of the network. This is then enforced using switches, routers, and firewalls. Implementing an untrusted VLAN segment can protect the network from non-compliant and/or unknown systems.

Strategy and considerations

While it is common practice to move traffic off the default VLAN, good network segmentation divides end devices into VLAN roles. Often a site will create a VLAN segment for servers, a VLAN segment for physical client workstations, and a VLAN segment for Wifi access. As the following illustration displays, network segmentation through separating users’ computers and servers into functional groups offers defence-in-depth. VLAN1 is an isolated server network, each further VLAN represents a department with VLAN5 containing its own departmental server.

Diagram: An example layout of network segmentation with VLANs

While virtual segmentation platform solutions exist that provide zoning automatically, mapping new network segments onto existing networks[3], it’s likely that little additional network equipment is needed to implement network segmentation.

The following would be further considerations when entering into a network segmentation re-design:

  • Where multiple switches topologies exist, trunk interfaces are required to carry the VLAN traffic between switches. This is common in Access, Distribution and Core layer designs. Stacked switches do however tend to implement this requirement in design using virtual/backplane interfaces, decreasing the amount of trunk interfaces required and lowering the risk of network loops.

  • Inter-VLAN routing requires implementation via the router default gateway, or if Multi-layer L2/L3 switches are in use, Switched Virtual Interfaces or router VLAN interfaces are used between VLANs inside the switch.

  • DHCP use within VLANs will require DHCP-relay implementation for those subnets.

One approach, particularly useful for wireless or remote devices, is dynamic VLAN assignment. It is based on the authenticating user’s group membership as managed by a service, usually consisting of RADIUS and a user directory. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client[4]. Once the user is authenticated, packets from his device are assigned to the appropriate VLAN based on rules set up by the administrator.

Conclusion

Flat networks are a security weak point when taking network security design into consideration. The implementation of network segmentation can be achieved through a network redesign that may not require further infrastructure investment, while offering many protection enhancements off the bat. Today, it is considered network design best practice, it reduces an organisation’s attack surface, assists in data compliance, and promotes role-based security.

Over the last year, organisations have started advocating a more modern security model referred to as Zero-trust or the ‘Beyond-Corp‘ model. This devises a perimeter-less network model of user and device validation through public proxy connections for securely accessing an organisation’s resources regardless of user and asset location. This model will be blogged about in the future for interested readers.

References

[1] https://www.paloaltonetworks.com/solutions/initiatives/network-segmentation

[2] https://resources.infosecinstitute.com/vlan-network-chapter-5/

[3] https://www.forescout.com/company/blog/network-segmentation/

[4] https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113591-aaa-override-acs52-00.html

[5] https://www.ultimatewindowssecurity.com/blog/default.aspx?p=88b2dad0-3a10-4a25-bfc0-52c96186f4d6 Pass the Hash attacks using mimikatz