What is Network Segmentation?
A beginner's guide to a segmented network
Network segmentation is the practice of breaking larger networks or environments into smaller pieces or networks, sometimes down to the host itself.
How to do network segmentation? There are multiple ways to segment a network. One common approach is relying on the network itself. Another way is to deploy hardware firewall appliances while newer approaches enforce network segmentation on the host workload itself, so segmentation is carried out without touching the network.
Why we need network segmentation
To answer this, we often refer to a common example: how a submarine uses compartments to remain seaworthy in the face of a breach in one compart. The breach is contained to that single compartment and the submarine does not sink – thanks to the compartmentalization (or segmentation) of the vessel.
In the context of our IT environments, network segmentation prevents attackers or threats from spreading or moving laterally, or “east-west,” in data centers, clouds, or campus networks. A threat will be contained to the network segment or host segment that has been put in place, so attackers cannot move to other parts of an environment. Small security incidents are contained. This better protects organizations from breaches.
Types of network segmentation
Network segmentation: Segmentation has long been carried out by creating segments in networks with VLANs or subnets. Virtual local area networks (VLANs) create smaller network segments with all hosts connected virtually to each other as if they were in the same LAN. Subnets use IP addresses to partition a network into smaller subnets, connected by networking devices. These approaches not only allow for more efficient network performance, but also serve to contain threats from spreading beyond a particular VLAN or subnet.
There are two key challenges to these approaches. The first is the fact that networks must often be re-architected to accommodate segmentation needs. The second is the complexity of programming and managing the thousands of access control list (ACL) rules that live on network devices needed to create subnets.
Firewall segmentation: Instead of using the network to enforce segmentation, firewalls are another option. Firewalls are deployed inside a network or data center to create internal zones to segment functional areas from each other in order to limit attack surfaces, thereby preventing threats from spreading beyond a zone. An example could be separating engineering applications from finance. Another common example is protecting sensitive areas where PCI data resides for example.
Network and security administrators are familiar with firewalls deployed at the perimeter. However, they tend to introduce considerable complexity when the same firewalls are used for internal segmentation.
This is due to the thousands of firewall rules that are needed to segment internal networks. Another consideration is the risk of firewall misconfiguration that can break an application and harm the business. Another drawback of using firewalls for segmentation is the considerable cost they impose since they are bought in pairs for multiple sites, often costing in the millions of dollars.
Segmentation with SDN: Software-defined networking (SDN) is relied on for greater network automation and programmability through centralized controllers that are abstracted from the physical hardware of the network. Some network operators seek to coax segmentation from their SDN network overlay implementation by using it to create policies to funnel packets through a distributed set of firewalls.
A drawback here is the vast level of complexity that it requires for successful micro-segmentation, particularly when applications do not fit into network boundaries. SDN is focused on network policy rather than security visibility into workloads and application flows that other approaches address.
Micro-segmentation: An alternative way to get to a segmented network is enforcement using the host workload, instead of subnets or firewalls. Each workload operating system in the data center or cloud contains a native stateful firewall, such as iptables in Linux or Windows Filtering Platform in Windows. This approach tends to use whitelist models that block all traffic except for what is permitted. Micro-segmentation is also sometimes referred to as host-based segmentation or security segmentation.
Host-based segmentation uses workload telemetry to create a map of cloud and on-premise compute environments and applications. This map is used to visualize what must be protected and to put automated segmentation policy in place. This approach uses human-readable labels versus IP addresses or firewall rules to create policy. An advantage is the ability to enforce segmentation down to the process level, more granular than just specific ports.
Those introduced to host-based segmentation require a period of adaptation. Most new users are familiar with firewalls and networking concepts, but find it necessary to get trained on a new way to create policy and enforce segmentation at the host.
Who needs to segment networks or environments?
Organizations that are security- and compliance-minded need to put segmentation in place to protect their environments from breaches by restricting attacker lateral movement.
Two prime examples of the need for segmented networks are organizations that must comply with healthcare cybersecurity compliance or PCI mandates:
- Healthcare organizations must protect PHI data, complying with healthcare cybersecurity compliance frameworks. Common security frameworks exist to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Key security controls that must be implemented include segmentation or segregation in networks, isolation of sensitive systems, accurate mapping, and network connection control.
- PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood data breaches of sensitive cardholder financial account information. Payment Card Industry Data Security Standard (PCI DSS) compliance efforts include network segmentation to isolate the system components within a Cardholder Data Environment (CDE).
For example, this might mean keeping in-scope systems separated from out-of-scope systems or managing access between in-scope systems or networks. The right network segmentation can also reduce the number of systems in scope for PCI DSS to begin with.
What is an example of segmentation?
There are many good examples of how network segmentation can help reduce attacks surfaces and the prospect of a high-profile breach. Organizations may implement application segmentation to segment an application from the rest of the environments. As mentioned, segmentation may be used to separate PCI, SWIFT, or healthcare systems from the rest of the environment. Environmental separation is also common where organizations segment their production environment from the development environment.
Benefits of network segmentation
Better network performance: A segmented network can improve network performance by containing specific traffic only to the parts of the network that need to see it.
Reduced attack surface: Attacker lateral movement is limited with network segmentation by preventing an attack from spreading. For example, segmentation ensures malware in one section does not affect systems in another.
Reduced compliance scope: Segmentation reduces the number of in-scope systems, thereby limiting costs associated with regulatory compliance.