Network segmentation is the practice of separating networks with systems containing sensitive information from those that do not. The idea is that if an attacker gains access to the network, say via stolen user credentials, access (and damage) is limited to a subset of systems.
Everyone knows about Target, and more recently, P.F. Changs confirmed a long-term breach, in which an estimated 800,000 cards per month may have been stolen, from September 2013 to June 2014. While details of how attackers accessed the restaurants network have not yet been divulged, it wouldn’t be surprising to learn that attackers gained access to POS systems through another system.
Network Segmentation Challenges
It is easy to shame these companies for poor security practices. But we must remember: While the principle behind network segmentation is quite simple, putting it into practice is another story. The typical enterprise network consists of hundreds of firewalls, routers and switches. Each of those devices can have hundreds of rules enforcing complicated security policies. As a result, tens of thousands of rules must be taken into account when segmenting the network in order to ensure security and policy compliance.
To further complicate matters, the enterprise network is a dynamic entity. IT organizations make dozens of network changes a week to support new business applications. And the addition of new technologies like virtualization and cloud further change the face of the network. These changes render network segmentation efforts almost immediately out of date. This is particularly problematic if the IT organization makes the mistake of approaching network segmentation as a “set it and forget it” effort. In order to be successful, network segmentation must be properly managed, and security policies must also be continuously enforced.
How to Approach Network Segmentation
As you map out zones in order to segment your network, consider business drivers such as regulatory compliance requirements, industry- or company-specific risks, third-party contractual requirements and company-specific business processes. The resulting map will provide visibility that can help you determine how best to segment the network. For example, you will gain insights on what services can be allowed between different network zones, zone sensitivity, etc.
You can take this effort a step further and use a tool that enables you to visualize zoning. Thus, you will be able to quickly understand zone-to-zone policies that are required, each zone’s level of sensitivity and traffic-flow restrictions between zones. A visual map can also help ensure proper network segmentation when new applications that require interaction with several other network resources are rolled out. The map can show how the application interacts with other resources to help ensure that only communications required by the business are permitted and all others are blocked.
For example, you might segment the network into 40 zones based on risk assessments, and business and regulatory compliance requirements. You might separate the development network from the Internet and the general enterprise network to minimize the risk of data loss or malware infection.
These efforts help ensure proper network segmentation at a point in time, but organizations also require a means of becoming aware of policy changes. Security administrators must be alerted to gaps between desired and actual segmentation, and changes made “out of band” must be remediated immediately. Furthermore, every network change across multi-vendor firewalls must be analyzed against your security and segmentation policies for continuous governance and compliance. A tool that provides the ability to visually validate that the current segmentation is the same as the desired segmentation can help.
Finally, consider enabling automation of segmentation rules and policies as much as possible. This will help reduce the risk of policy violations going unnoticed or simply unaddressed due to resource constraints.
The likelihood of security breaches can be reduced with proper network segmentation. But as we all know, that’s easier said than done. Today’s IT organizations must re-evaluate how they approach network segmentation, and adopt the tools and methods required for proper network segmentation management.
Reuven Harrison co-founded Tufin Technologies in 2003, serving a vital role as CTO during the company’s fast-paced growth as a leading worldwide provider of solutions that enable IT administrators to effectively audit, monitor and optimize ever-growing firewall policies. Responsible for the unmatched innovation within Tufin’s flagship product, SecureTrack, Reuven leads Tufin’s development staff, managing all product architecture while ensuring seamless integration with all leading firewall vendors.
Reuven brings more than 17 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS. He received a Bachelors degree in Mathematics and Philosophy from Tel Aviv University.