For a business that's barely two decades old, we network security people are firmly prisoners of our past. Our
firewalls don't look all that different today from 1995, and we often use them in the same way, building a strange thing called a DMZ based on thinking that predates the Internet.
If the standard way of thinking about network security is perimeter-focused, then start thinking in a new way: Divide and control with network segmentation. It's a simple two-step process:
- Break your network up into different segments based on the security profile of the systems on these segments.
- Once you've divided the network up, install controls to restrict and manage network traffic between the segments. These controls can be as sophisticated as stateful firewalls, or as simple as an access control list (ACL) on a layer-3 switch or router that provides coarse controls.
Why do you manage network traffic this way? Because the threats are now everywhere: on the outside, as well as on the inside. You can't shield every single device from every other, no matter what some vendors will say. Instead, you can group devices and segment your network to reduce risk in a cost-effective manner.
Look at it this way: Not everything "inside the firewall" has the same level of trust, nor needs the same types of protections. Your servers, which definitely should be segmented away from your users, have the crown jewels that keep your company running. They need to be protected from intentional and accidental attack, both inside and outside your company.
Users, on the other hand, have a different need: They are constantly under attack from the email messages they read, the websites they visit, and the files they download. They need a very different set of protections.
The larger your network is, the more segments are appropriate. If you're a midmarket organization with a smaller network, you may be able to get by with only two or three segments: servers, users and a guest network for untrusted people visiting your company, like your CEO's 12-year-old daughter. What's the lower limit for network segmentation? If you have more than three servers, or if you have a guest network, you should be thinking about adding security by segmenting internally.
How do you figure out how many you need? Easy: Think in terms of security profiles. Look at groups of users and ask yourself: "From a security point of view, which people (or what systems) should be treated the same?" Any time you can easily define network segmentation between groups, that's an opportunity to manage network traffic with a segment -- and a control, such as a UTM firewall or layer-3 device with an ACL.
This is a very practical approach even for smaller networks, because firewalls have jumped in speed to easily handle the 100 to 1000 Mbps sweet spot of network connectivity that most of us use in midsized networks. The firewalls are inexpensive, easy to use, and we're not talking about hundreds of access control rules here. For example, when you set up an Exchange server, it's easy to say that end users should only talk to that server using their Outlook or email clients. Allow those services; block everything else; and you'll have locked that server up against a slew of potential attacks from malicious users or infected systems.
The key to internal network segmentation is to think differently than you do about perimeter firewalls. At the edge, it's a guaranteed attack surface with constant probes and eternal vigilance. Inside, you can take a more relaxed view-- after all, your network may never have had internal segmentation in the past. You should be focused on performance issues and long-term maintenance, ensuring what you do is well documented and won't get in the way of people doing their work.
About the author:
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.