Divide and conquer: Manage network traffic with network segmentation

For a business that's barely two decades old, we network security people are firmly prisoners of our past. Our firewalls don't look all that different today from 1995, and we often use them in the same way, building a strange thing called a DMZ

    Requires Free Membership to View

based on thinking that predates the Internet.

If the standard way of thinking about network security is perimeter-focused, then start thinking in a new way: Divide and control with network segmentation. It's a simple two-step process:

  1. Break your network up into different segments based on the security profile of the systems on these segments.
  2. Once you've divided the network up, install controls to restrict and manage network traffic between the segments. These controls can be as sophisticated as stateful firewalls, or as simple as an access control list (ACL) on a layer-3 switch or router that provides coarse controls.

Why do you manage network traffic this way? Because the threats are now everywhere: on the outside, as well as on the inside. You can't shield every single device from every other, no matter what some vendors will say. Instead, you can group devices and segment your network to reduce risk in a cost-effective manner.

Look at it this way: Not everything "inside the firewall" has the same level of trust, nor needs the same types of protections. Your servers, which definitely should be segmented away from your users, have the crown jewels that keep your company running. They need to be protected from intentional and accidental attack, both inside and outside your company.

Users, on the other hand, have a different need: They are constantly under attack from the email messages they read, the websites they visit, and the files they download. They need a very different set of protections.

The larger your network is, the more segments are appropriate. If you're a midmarket organization with a smaller network, you may be able to get by with only two or three segments: servers, users and a guest network for untrusted people visiting your company, like your CEO's 12-year-old daughter. What's the lower limit for network segmentation? If you have more than three servers, or if you have a guest network, you should be thinking about adding security by segmenting internally.

How do you figure out how many you need? Easy: Think in terms of security profiles. Look at groups of users and ask yourself: "From a security point of view, which people (or what systems) should be treated the same?" Any time you can easily define network segmentation between groups, that's an opportunity to manage network traffic with a segment -- and a control, such as a UTM firewall or layer-3 device with an ACL.

This is a very practical approach even for smaller networks, because firewalls have jumped in speed to easily handle the 100 to 1000 Mbps sweet spot of network connectivity that most of us use in midsized networks. The firewalls are inexpensive, easy to use, and we're not talking about hundreds of access control rules here. For example, when you set up an Exchange server, it's easy to say that end users should only talk to that server using their Outlook or email clients. Allow those services; block everything else; and you'll have locked that server up against a slew of potential attacks from malicious users or infected systems.

The key to internal network segmentation is to think differently than you do about perimeter firewalls. At the edge, it's a guaranteed attack surface with constant probes and eternal vigilance. Inside, you can take a more relaxed view-- after all, your network may never have had internal segmentation in the past. You should be focused on performance issues and long-term maintenance, ensuring what you do is well documented and won't get in the way of people doing their work.

About the author:
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.

This was first published in September 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.