Enhance Security and Control Access to Critical Assets with Network Segmentation

Before COVID-19, most corporate employees worked in offices, using computers connected to the internal network. Once users connected to these internal networks, they typically had access to all the data and applications without many restrictions. Network architects designed flat internal networks where the devices in the network connected with each other directly or through a router or a switch.

But while flat networks are fast to implement and have fewer bottlenecks, they’re extremely vulnerable — once compromised, attackers are free to move laterally across the internal network.

Designing flat networks at a time when all the trusted users were on the internal networks might have been simpler and more efficient. But times have changed: Today, 55% of those surveyed say they work more hours remotely than at the physical office. Due to the rapid evolution of the way we work, corporations must now contend with:

  • Multiple network perimeters at headquarters, in remote offices and in the cloud
  • Applications and data scattered across different cloud platforms and data centers
  • Users who expect the same level of access to internal networks while working remotely

While this is a complex set of issues, there is a solution. Network segmentation, when implemented properly, can unflatten the network, allowing security admins to compartmentalize internal networks and provide granular user access.

What is network segmentation?

The National Institute of Standards and Technology (NIST) offers the following definition for network segmentation: “Splitting a network into sub-networks; for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.”

The main principle of segmentation is making sure that each segment is protected from the other, so that if a breach does occur, it is limited to only a portion of the network. Segmentation should be applied to all entities in the IT environment, including users, workloads, physical servers, virtual machines, containers, network devices and endpoints.

Connections between these entities should be allowed only after their identities have been verified and proper access rights have been established. The approach of segmenting with granular and dynamic access is also known as Zero Trust Network Access (ZTNA).

As shown in Figure 1, instead of a network with a single perimeter, inside which entities across the network are freely accessible, a segmented network environment features smaller network zones with firewalls separating them.

Achieving network segmentation

Implementing segmentation may seem complex, and figuring out the right place to start might seem intimidating. But by following these steps, it can be achieved rather painlessly.

1. Understand and Visualize

Network admins need to map all the subnets and virtual local area networks (VLANs) on the corporate networks. Visualizing the current environment provides a lot of value right away in understanding both how to and what to segment.

At this step, network and security teams also need to work together to see where security devices such as firewalls, IPS and network access controls are deployed in the corporate network. An accurate map of the network and a complete inventory of security systems will help tremendously in creating efficient segments.

2. Segment and Create Policies

The next step in the process is to create the segments themselves: Large subnets or zones should be segmented, monitored and protected with granular access policies. Segments can be configured based on a variety of categories, including geo-location, corporate departments, server farms, data centers and cloud platforms.

After defining segments, create security policies and access-control rules between those segments. These polices can be created and managed using firewalls, VLANs or secure mobile access devices. In most cases, security admins can simply use existing firewalls or secure mobile access solutions to segment and create granular policies. It’s best for administrators to ensure that segments and policies are aligned with business processes.

3. Monitor and Enforce Policies

After creating segments and policies, take some time to monitor the traffic patterns between those segments. The first time the security policies are enforced, it may cause disruption to regular business functions. So it’s best to apply policies in non-blocking or alert mode and monitor for false positives or other network errors.

Next, it’s the time to enforce policies. Once the individual policies are pushed, each segment is protected from cyber attackers’ lateral movements and from internal users trying to reach resources they are not authorized to use. It’s a good idea to continuously monitor and apply new policies as needed whenever there are changes to networks, applications or user roles.

Policy-based segmentation: A way forward for distributed networks

What today’s enterprises require is a way to deliver granular policy enforcement to multiple segments within the network. Through segmentation, companies can protect critical digital assets against any lateral attacks and provide secure access to remote workforces.

The good news is that, with the power and flexibility of a next-generation firewall (NGFW) and with other technologies such as secure mobile access and ZTNA solutions, enterprises can safeguard today’s distributed networks by enforcing policy-based segmentation.

SonicWall’s award-winning hardware and advanced technologies include NGFWs, Secure Mobile Access and Cloud Edge Secure Access. These solutions are designed to allow any network— from small businesses to large enterprises, from the datacenter to the cloud — to segment and achieve greater protection with SonicWall.

Unpacking the U.S. Cybersecurity Executive Order

Amid the 2021 wave of frequent, high-profile ransomware attacks on U.S. organizations, the White House issued its “Executive Order on Improving the Nation’s Cybersecurity.” Section 3 of the order states:

The federal government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

There are several important implications in this section that will have lasting impact on the cybersecurity industry as a whole.

Zero Trust Architecture

The Zero Trust cybersecurity model implements the elusive concept of “never trust, always verify.” While the concept has been around for longer than most practitioners realize, the recent uptick in cybercrime and the responding push by various security analysts and vendors has put the idea back in the spotlight.

The executive order directs government agencies to move towards a Zero Trust model, but the effects will be much further reaching. As government agencies rush to implement Zero Trust, enterprises working with these agencies are expected to follow suit to protect both the government and their own infrastructure. This will accelerate the already-in-progress shift to Zero Trust security.

Unfortunately, malicious actors don’t discriminate between federal agencies and the private sector. Whether your organization is a small business trying to get off the ground or an established one with millions of dollars’ worth of federal government contracts, it’s essential for it to follow the best practices and implement Zero Trust Network Access (ZTNA).

A Move Towards the Cloud

I remember when as-a-service cloud solutions were first introduced. Most vendors had two sets of offerings — one in the cloud and another in the form of an appliance for government agencies that were cloud averse. Those days are long gone: Today many cloud providers have their own government-sanctioned, FedRamp-compliant cloud solutions.

This executive order is asking the federal government to embrace and implement cloud XaaS solutions, be it SaaS, IaaS or PaaS. Due to federal regulations, government agencies were the last holdouts to cloud transformation, and this order is removing that hurdle.

Whether your organization is using cloud services like AWS, Azure or Google Cloud, or is running its own private cloud, it is important to plan and implement security guard rails in your architecture from the beginning.

Centralized Management

Note that the order is asking for a centralized and streamlined access to analytics. While this is not directly mandated in the order, this screams cloud delivered management services. After all, what better way to centralize and streamline access to a resource than by putting it on the cloud? However, there are many pitfalls associated with this approach.

IT Supply Chain: A Word of Caution

The recent pandemic has shown how interconnected the global supply chain really is. We are seeing delays and increased costs in everything from electronic chips to bicycle parts. Security admins should also consider the interdependencies of security in their IT supply chain.

Recent high-profile attacks like that on SolarWinds reiterated the old adage that any system is only as strong as its weakest link. Many multinational enterprises were impacted because they were using SolarWinds’ technology. Malicious actors infiltrated the supply chain of SolarWinds and inserted a backdoor into their product. When customers downloaded the Trojan Horse installation packages from SolarWinds, it gave hackers access to the partners’ environment. This was a sophisticated attack: the cybercriminals even randomized their code in order to bypass the traditional scanners looking for known indicators of compromise (IOC).

Unfortunately, one of the downsides of moving to the cloud is the dependency on other vendors’ infrastructure and security practices. This issue becomes even more relevant as the cloud infrastructure becomes more complex and interconnected.

Security admins would be wise to audit their partner infrastructure, especially XaaS ones, to ensure that they are not inadvertently integrating with a vulnerable environment.