Network Segmentation Tips From the Experts
The smartest and most profitable investment portfolios continually invest in multiple sectors. With our money invested in different areas, we minimize the risks of potential failure but remain flexible.
The same goes for networks. Segmenting your network allows you to mitigate the risks in case of a cyber attack. Network segmentation gives you the edge over attackers as now you can isolate the attack and limit the damage of an attack to one particular segment.
What Is Network Segmentation?
Network segmentation, as defined in the National Institute of Standards and Technology NIST Glossary, is “Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.”
Network Segmentation is one of the most effective methods of cybersecurity. On the surface, a flat network (a single network for all) looks good and is easy to manage. But when you dive deep, the risks are very high. A single breach of something as simple as an IoT device like a cafeteria coffee machine can give someone the keys to your kingdom.
Segmenting Networks for a Zero-Trust Network Architecture
Zero-Trust Security can be summarized as the philosophy of “never trust, always verify.” In a zero-trust network architecture, security is not limited to just the authentication of users and devices connecting to your network. Zero trust requires that all points connected to your network are constantly monitored to identify unusual behavior or activity and revoke access dynamically within seconds. This stops and limits any unauthorized access or suspicious activity to one particular user or machine only, thus reducing the risk to your network by a substantial degree.
Network segmentation is one of the vital components of zero trust. At its core, zero trust applies “microperimeters” as an instrument of control around high-risk data and assets to minimize risk and prevent cyberattacks. The concept behind this is that in the event of a network breach, the breach can be confined to the attack surface and not be allowed to move laterally. Implementing segmentation for improved access control increases the challenges for an attacker and restricts the breach to a limited area.
Microsoft puts it best: “In a Zero Trust approach, networks are instead segmented into smaller islands where specific workloads are contained. Each segment has its own ingress and egress controls to minimize the “blast radius” of unauthorized access to data.”
To create a zero-trust network architecture, you will have to segment your network to grant access to users and machines as per their functions, thus creating an environment where only relevant information is shared.
17 Actionable Network Segmentation Tips
Network experts always advise segmenting your network as the first step for cybersecurity. Let’s look at some of the tips our team of experts has for you:
- Users are a network on their own. Ensure you have the correct access level based on user roles defined in your AD. Follow Least Privilege.
- Segment your network based on the type of devices. Assign separate VLANs for BYOD and managed devices.
- Segment BYOD networks further by roles and managed device networks by the MDM.
- The DMZ Network should have its own separate VLAN. In computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks — usually, the public internet. DMZs are also known as perimeter networks or screened subnetworks.
- Expose externally facing systems. This is where handshakes take place on your network. It may also be called a test network and should always be segmented.
- Guest Network Wi-Fi should be separate from the corporate networks. Many smaller businesses never bother to set it up although it should be treated as a separate network.
- IT workstations or dev networks should be segmented too. This is where IT staff does non-admin work and should be segmented for testing. It is also recommended that the IT department have its own internet circuit for testing, completely blocked from company access.
- The network should be segmented based on teams or groups (marketing vs. dev, students vs. staff).
- Create separate public and private drives by departments. Segment access in private for those within specific teams. This can limit the crawling of malware.
- VOIP/Communications systems should have separate network systems to ensure quality. As communications move towards API and software as a service platform, this network will become a more common attack plane.
- Traditional Physical Security, like cameras and ID card scanners, should have a separate network. The risk of a physical breach can sometimes be more harmful than a digital one.
- Industrial control systems like HVAC should have 2-factor authentication and be segmented as well.
- Configure Intrusion Detection and Prevention systems to monitor your internal segments of networks just as you would your public-facing networks.
- Review your logs or work alongside an IT partner to double your vigilance and act as an extra set of eyes. This is especially important as your business evolves and grows. There may be a need for more than the current network architecture to meet your needs. Regular audits can help you assess and adjust your network segmentation design for optimal performance and security.
- Keep an open (and customized) SSID for onboarding. This will help you segment the network based on managed vs. BYOD.
- Different regions or offices have their own intermediate CA, so there should be different VLANS assigned when employees from other offices and regions visit each other.
- Visualize your network. Create a network diagram for better visibility of all parts and identify who needs access to what data to map your network successfully. Do not over-segment. More segments equal more policies to manage.
How to Organize Users and Devices for Access Control
SecureW2’s industry-leading team of support shares some tips from their decades of experience in the field to help make your network segmentation more effective.
- First, you must decide how you want user accounts to be created. You can do it for devices, users, or, in some cases, for both user and device. These accounts or identities are created and stored in an Identity Provider (IDP) server. Certificates can be issued as user-based and device-based. This is a crucial decision step as the network can be segmented based on how the certificate is issued.
- For MDM, user accounts can be created for devices using the hardware address (MAC address or serial number, or device name). These three contribute to uniquely identifying a device, which is why it is possible to issue certificates to users and devices using this information. Certificates issued for MDM can be user-based or device-based.
- The email ID is what is used to issue a user-based certificate. Any system will have a default template that says when filled with the first and last name, the email ID is generated. The user is determined by the organizational unit they come under based on their roles. Roles will help you relay your certificate from identity management and policy management to enrolling for a certificate. Roles are also pivotal in creating network segmentation. For BYOD onboarding, certificates are recommended to be user-based. Issuing certificates to users make it easy to segment the network based on roles.
- Segmentation should be done based on the type of devices. There should be separate networks for MDM and BYOD. Over 90% of our customers ask for their network to be segmented for BYOD and managed devices.
- For managed devices, the network should be segmented based on the types of devices. For example, JAMPF and InTune should have separate networks.
- With BYOD, the network should be further segmented based on roles as defined in the IDP. For example, the level of access for a BYOD device of a teacher (more access) is different from that of a student (limited access), so there should be separate networks assigned to them.
How to Implement Network Segmentation
Implementing network segmentation can sound daunting. However, there might be some segmentation capabilities already existing in your enterprise that can be deployed or configured seamlessly.
For example, you might already be using an Identity and Access Management Solution like an Active Directory. What is essential is to determine what is feasible and applicable in developing a comprehensive plan that helps develop the network segmentation architecture that best suits your business needs. We can roughly divide these strategies into three categories.
Planning a Segmented Zero-Trust Network
To start, you will first need to understand the following about your network.
- The network’s current state.
- Access the current state and the network map.
- Develop one if not available.
- List assets that support mission-critical systems.
- Review existing security assessment reports to identify if they are isolated incidents or if they indicate broader enterprise issues.
- Currently available capabilities.
- Identify all the tools and infrastructure components in your network that are employed to control network traffic or flows (e.g., switches, routers, security devices).
- Once all existing resources are identified, determine which ones can be configured or modified for effective network segmentation.
- Identify Requirements to achieve the desired state.
- You may divide your requirements into short-, mid-, and long-term objectives.
- Review your cybersecurity governance and policies in depth. This is to identify any existing requirements that may be derived, implied, and/or hidden requirements for network segmentation.
Preparing Your Network (and Users) for a Network Overhaul
This is where you will develop a project team. The team should include key subject-matter experts and other resource people that may be critical in planning and execution. The team should be focused on both short-term deliverables as well as develop a long-term strategy, and be able to anticipate all possible impacts.
You will have to divide your plan into short-term, mid-term, and long-term and keep making adjustments as you go to meet your enterprise’s strategic and risk management goals.
Deploying Network Segmentation
In the execution or implementation stage, you will start taking action as per the strategy developed in the prior stages. You may have to adjust schedules at the time of execution to fit the needs in the live environment or to mitigate gaps between planned and actual if any. This stage, too, will have to be divided into 3 phases: short-term (ideally less than a year), mid-term (about 1-2 years), and long-term (more than 2 years).
Configuring Network Segmentation With SecureW2 RADIUS
You will have to decide during deployment if you want a certificate assigned to users or devices, or both. You issue a certificate using SecureW2 RADIUS or any on-prem services that you want to use to deploy the certificate.
Once you get the certificate, you have to configure the settings for Wi-Fi for network segmentation. It is crucial to define these attributes with precision. Network segmentation can be done easily by creating policies in our RADIUS server.
The following steps show how RADIUS interacts with the Wi-Fi routers facilitating connection to exchange the data needed to connect to the right VLAN.
- A user or a machine requests to connect to a Wi-Fi network.
- The next step is the process of RADIUS authentication to confirm if the user or machine has the authorization to access your network.
- Once RADIUS confirms the certificate is valid, Wi-Fi asks RADIUS for specific attributes. These attributes help Wi-Fi determine the correct VLAN they are authorized to connect to.
- Based on how you have defined the attributes, RADIUS will then transmit these back to Wi-Fi.
- Once Wi-Fi receives the data, it will connect the client to the appropriate VLAN.
Complete Network Access Control Solutions
Network segmentation as a concept is vast. Segmenting a network to best fit your organization needs a team of experts who can do everything from planning to implementation and monitoring performance in a live environment. Every stage needs to be carefully planned and executed.
It is also important to perform real-time assessments to ensure the segmentation is still relevant to your company’s growing needs. This may be challenging, especially if you do not have an IT team of experts that is dedicated to network management. And if you use passwords instead of certificates for authentication, it further reduces the strength of your network.
SecureW2 has a great team of experts who bring to the table their rich experiences and an in-depth understanding of network architecture to design network security infrastructure solutions that are industry-leading. Our support team is the industry’s best and they are always available to help you keep your network secure. They kindly took time from their packed schedules to share some helpful tips on network segmentation.
Our onboarding solutions, JoinNow Cloud RADIUS and JoinNow MultiOS onboarding can help you streamline your network from the get-go. Our JoinNow Connector PKI can help you segment your network based on dynamic role assignments. Click here to find out about our pricing.