Network segmentation and separation

When paired together, segmentation and separation can add an additional level of access control and security to your network, systems, and data.

A network can be physically and virtually sliced-and-diced into separate bits in order to add more granular levels of security controls. Segmentation means breaking down your organisation’s network into smaller networks. Separation means using different types of access controls to allow connections across those smaller networks.

Without network segmentation and separation, an attacker could move to other devices on your network without being stopped by access controls or security policies. An accidental malicious download by a user could result in a widespread network incident. The most impactful ransomware attacks that CERT NZ sees are caused by inadequate or missing network segmentation.

Purpose

The intent of this control is for organisations to segment their network into smaller, manageable networks based on security risk. Access controls are used to separate access between those smaller networks, and are restricted to only the access required.

Measuring success

There are multiple different ways to configure your network. Regardless of your design, the goals of this control are:

  • All sensitive devices are separated from other devices and are kept in segmented networks.
  • All sensitive networks are separated from untrusted or low-trust networks.
  • All network devices deny traffic by default.
  • All networks have rules to only allow ports and protocols that are required for the devices in that network to operate.
  • All network devices are hardened and maintained.
  • All user access to the organisation’s network requires authentication.
  • Logs are recorded and stored in a central location to capture:
    1. security and authentication configuration changes in the network devices or their rules, and
    2. suspicious network traffic or authentication attempts.

Key network segmentation takeaways

  • It can take a lot of time to re-design and segment your current network. Start small with high risk areas, like devices that have sensitive data or devices that control critical administrative functions. This will help reduce the impact of a successful attack on your network.
  • Network segmentation relies on the implementation of other critical controls, like the principle of least privilege and disabling unused ports and services. The other critical controls should be considered alongside this one when you are looking to design a segmented and separated network.
  • Network separation only works if network traffic is blocked by default and only allowed to pass if it is explicitly allowed. This means you should only add network rules and open ports for connections that are necessary.

Advice for implementation

Architecting network segmentation