An important part of improving your cybersecurity is working with network segmentation. Network segmentation in computer networks involves dividing a network into smaller networks (also called zones or domains) and then imposing strict controls on network traffic between the zones. The advantages of such division are primarily to improve security but also performance. In this blog post, we go through a few different ways to use network segmentation!
Why is network segmentation needed?
Network segmentation in data networks means dividing a data network into subnetworks, where each is a network segment. The benefits of such splitting are mainly to improve security and performance. Without segmentation, there is a risk that sensitive information can be leaked or manipulated, and that malware and ransomware can spread unchecked and quickly. Attackers do not need to go directly towards the target, for example the electricity distribution. Instead, they nestle in via weak points far out in the architecture, via email or customer service, as a way to reach the goal. State-supported attackers are also patient, prepared to work long-term, do everything in small steps and, unfortunately, are often one step ahead. The stark reality is that the company’s management and control systems can be already be attacked without being noticed, yet.
Different kinds of network segmentation
1. Physical separation (independent computers)
A stand-alone computer is a computer that is not connected to any network or equivalent. The stand-alone computer must never be connected to any communication with networks or the like. The stand-alone computer’s ability to communicate with other active or passive equipment must always be switched off (for example wifi, bluetooth and airdrop). Exceptions apply to locally connected devices such as printers via USB cable.
The stand-alone computer can basically consist of any computer with both standard operating systems and software, but which has been configured (hardened) based on the requirements and needs identified to achieve the security protection that the information requires.
Where is physical separation important?
The absolute most protection-worthy information requires physical separation. In simple terms, it is about creating an isolated island with no connection to the outside world. This minimises the risk surface – the attacker must sit at the very computer that contains the information worth protecting. Physical separation is extremely effective, but for it to work practically in today’s world, a controlled exchange of information must be enabled without sacrificing isolation. With certified solutions that meet military standards, you can achieve both functionality and security.
2. Airgap (isolated networks)
Some very strict environments require the zones to be completely separated with air gap, which means there is no physical connection between the zones.
Airgap, airwall, airgapping, or isolated network is a network security measure used on one or more computers to ensure that a secure computer network is physically isolated from other networks, such as the public Internet or an insecure local area network. This means that a network has no network interfaces connected to other networks. It is thus isolated from other systems connected to unsecured networks.
The only way to transfer data to and from an airgapped system is via portable media – sometimes called a “walknet”. Practically, this is done by people, which means you become dependent on well-trained staff who would probably rather be working on other more qualified and stimulating tasks. But even well-trained personnel with a high security awareness can unfortunately also make mistakes or take shortcuts, which despite all security measures exposes the systems to risks, e.g. that you get malware into your system.
Data diodes as an alternative to physical separation and airgap
A data diode is a cybersecurity solution that ensures a one-way flow of information. This hardware product, with its high assurance, maintains both the integrity of the network by preventing intrusion and the confidentiality of the network by protecting the most sensitive information. Thanks to its high level of assurance, a data diode protects the assets of actors operating, e.g. in critical infrastructure, ICS/SCADA and the defence industry. Digitalisation and the increase in sophisticated cyberattacks means that every organisation that works with sensitive information needs a data diode to be able to protect its valuable information and to be able to exchange data in a secure way.
A data diode is placed between two networks and acts as a check valve whose function only allows data to be sent in one direction while blocking all data in the opposite direction. Since the security is not based on software, there are no vulnerabilities in the form of software bugs, nor can it be attacked by malicious code. Hardware-based security means that you can be sure that correctly designed data diodes meet their security requirements with a high degree of assurance.
A hardware-based data diode is to be equated with airgap in the reverse direction, which means that if you have requirements for airgap separation, it can actually be fulfilled (in the reverse direction) by a data diode, but at the same time enable a network connection in the forward direction.
3. Logical separation
Logical separation is a way of dividing your network into different zones, but allowing different zones to be co-allocated on the same hardware or network. The separation consists of software logic that determines when, where and how machines and applications are allowed to communicate with each other – less obvious and with lower assurance of the strength of the separation mechanism than physical separation or air gap.
Where is logical separation appropriate?
Logical separation complements physical or air gap separation well. In the end, it is about balancing communication needs, administration and security.
Another important area where logical separation (or even physical separation) is commonly used is to separate administrative tasks and functions from common user-related tasks and functions, that is, building somehow isolated administration networks. Logical separation acts like the inner walls of a fort, making it difficult for attackers to continue within the systems and access the entire IT environment. Securing logical units is achieved with products that reduce the exposed risk surface and thereby limit the impact of cyberattacks.
Advantages of using logical separation
Logical separation allows you to reuse the same hardware infrastructure (i.e. cables, switches, routers, etc.) for different zones. Information stored in the various zones is still only available in that zone, meaning that only the people who need the information can access it. Provided that the logic is without vulnerabilities and correctly configured.
However, when high assurance is required, you should not mix traffic from different security zones with the same hardware or cables. To achieve really high security, you need to use different hardware for the different zones. However, you can usually connect these zones with dedicated cross domain security products, such as data diodes and guards. In this way, information exchange can take place with a high degree of control over the zone boundaries. There are several different solutions you can use for either one-way communication or two-way communication – or both.
How do I implement network segmentation?
Segmenting an IT environment can be a very complex task that encompasses many different skills and can have a major impact on ongoing operations. The complexity depends on things like how big the environment is, what the current situation looks like, budget, which personnel are available and the will of the management.
Below are five steps that you can take as a starting point when you start planning your segmentation project:
- Create a zone model
- Define what to segment
- Make a security analysis of the system involved
- Partition the systems according to the zone model
- Implement, test and deploy
Keep in mind that it is easiest to make this type of change when building a new or supplementing an existing network!
Read more in our guide – 5 steps to network segmentation!
If you need more help with your work with network segmentation, please contact us!
