Network segmentation

Most of us focus on front door security and threats coming from the outside world by putting some sort of firewall on the perimeter. In reality, relying upon perimeter security alone does not protect your network and information data. Doing this is like putting money into a bank which depends on one armed guard.

The concept of segmentation is based on ancient history, when Roman empires formed and fought units based on the ethnic and geographic identity of captured warriors. The idea was very simple: groups of warriors were formed on the basis of their similar backgrounds so that they could bond with each other and ultimately become better fighting units.

Resource consolidation, virtualization and network consolidation can be beneficial when focusing on infrastructure security. The consolidation of network infrastructure with improved security has been a crucial part of the segmentation strategy. A legacy model of distributed applications and services with complex designs are now migrating to shared physical infrastructure or cloud networks that require separation to maintain strong isolation. Similarly, networks have gone through abrupt changes over the past few years with the introduction of virtualization, Software Defined Network (SDN), containers, wireless connectivity, hosting services, Data Center infrastructure and the Internet of Things (IoT). Network separation can be achieved by implementing Layer-2 technologies such as VLANs, Layer-3 technologies such as virtual routing and forwarding (VRF) for routing separation, and zone based firewalls for segment separation.

In today's cyber security environment, you have to assume that you are not 100% immune to these threats and something malicious might already be on a network. Using a multi-layer approach, network segmentation makes it more difficult for an attacker to launch an attack throughout your entire network. It also adds an additional layer of deterrent for insiders because you can isolate valuable data and resources from insider attacks.

From a network design point of view, networks with limited segmentation, a high number of users and various applications typically experience access control issues. Every user group has access to pretty much every application in the enterprise network. All departments can connect to all other resources on a network, as shown in the following diagram: