What is network security? Network security can be adopted in a number of ways to protect your network, in different parts of the network. As every organisation needs to use the internet and digital services, it is important to set boundaries and to make sure that no malicious content can enter your network – especially if you have sensitive or classified information. It can be physical security where physical components of the network can only be accessed by those who need to access it. Also, there is technical network security where the data and systems on the networks is protected. Lastly, there is administrative security which means that there are policies and processes for e.g. accessing the network.
When and why do you need network security?
If you work with sensitive information, network security is highly necessary. Network segmentation reduces the risk and limits the damage of a cyberattack. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly. Attackers do not normally take the direct path to the target asset, for example company intellectual property or the SCADA system of an electricity producing company. Instead, they worm their way in via weak points far out in the architecture, via email or customer service, to reach their goal. State-funded attackers are also patient, prepared to work long-term doing everything in small steps, and are unfortunately often one step ahead. The harsh reality is that industrial control systems may have been attacked without anyone noticing.
However, it is neither practical nor economically justifiable to protect all information in the same way. To safeguard critical information, strict network segmentation must be applied with a combination of physical and logical separation.
Logical and physical separation
Where do you need physical separation? Critical information requires physical separation. Simply put, an isolated island is created without connection to the outside world. This minimises the risk area – the attacker has to sit at the computer containing the critical information. Physical separation is extremely effective, but to be practical in today’s world, controlled information exchange has to be possible without compromising isolation.
So, where is logical separation appropriate? Everywhere besides when protecting critical information. Office networks should use logical separation. Different parts of the business create their own zones – finance, marketing, sales, customer service, operational technology, etc. – each with different security requirements, such as Identification and Access Management (IAM). As a co-worker, you may only access what you need to do your job, i.e. relevant documents, not the entire folder structure. Logical separation works as the inner walls of a fort making it difficult for attackers to proceed within the systems and access the entire IT environment.
Read more about ways to protect your network!
How to implement network segmentation?
Segmenting an IT environment can be a very complex task including many different competencies and can have a major impact on ongoing operations. The complexity depends on aspects such as how big the environment is, what the current situation looks like, budget, what staff is available and the willingness of the management.
Here are five steps that you can use as a starting point when you start planning your segmentation project:
1. Create a zone model
2. Define what should be segmented
3. Perform a security analysis of included systems
4. Arrange the systems according to the zone model
5. Implement, test and put into operation
Read our guide on how you begin with network segmentation!
What are the benefits of zoning and network segmentation?
Zoning an IT system is done for both security and functional reasons. In general, the underlying driving force is to reduce the risk of various disturbances in the system. In terms of security, zoning is about gathering assets with the same type of protection needs concerning privacy, integrity, accessibility and access. The higher the demands placed on the protection of a system, the higher the costs to build and maintain the system and protection mechanisms, which means that for economic reasons, one wants to minimise the size of systems with high demands on protection.
This means that by using zoning, one should try to gather assets with an increased need for protection and separate these from assets with lower demands for protection. Segmentation means that you have separate zones for your assets, but most often, you still allow some communication between these zones. In some slightly more extreme cases, isolation or ”galvanic separation” may be relevant and then no network-based communication between the zones is allowed.
Read more about zoning!
IT/OT integration
An example of how you can separate your systems and networks via zoning, but still allow them to communicate securely, is IT/OT integration.
Historically, OT systems were often entirely standalone. However, the need to connect OT to other systems has grown with the digitalisation of society. IT and OT are therefore connected, and similar technology is often used in IT and OT. The different needs in IT and OT can easily lead to challenging technical conflicts.
Physical separation of IT and OT using zoning
Separating IT and OT into separate segments helps avoid vulnerabilities or disruption in IT affecting OT. To avoid risks as a consequence of mistakes in configuration or function, physical segmentation (zoning) should be used. This means that separate hardware is used for IT and OT.
Use data diodes in the zone border for outbound data flows from OT
The most secure way to connect an integrity sensitive data network to other systems is to use data diodes. All data flows from OT that can be managed with data diodes involve a simplified security analysis, quite simply because a data diode is so secure and easy to analyse. Or, more correctly, because it has such high assurance.
Information allowlisting in the zone border
For data flows for which data diodes are not suitable, you can instead use systems that secure the information flow, such as ZoneGuard. To avoid malicious code intruding and affecting the process, it is important to have strict separation between, and monitoring of, all data flows across the zone border. The most secure method is to have strict control over the information that is permitted to cross the zone border. For example, by not allowing transport protocols to pass the zone border, you entirely avoid many of the risks that you might otherwise face.
Read more about secure IT/OT integration!
Different types of network security
There are many ways to protect your network, but here are a handful.
VPN encryptors
Sometimes, it is necessary to communicate over the Internet, but the sensitivity of the information can hinder you from being able to openly send it to the recipient. The solution is to use a VPN (Virtual Private Network) encryptor. VPN encryptors can be used to protect your network, while connected to the Internet, by creating secure and private tunnels between a device and a network, or between two networks. In this way, you can be connected to the Internet, but the information you send to other units within the private network is encrypted and securely sent through the tunnels, resulting in traffic that cannot be read by anyone outside of your private network. You are thereby protecting your network by protecting how the information flows between units or networks.
Many encryption solutions are mainly software-based, like the solutions used for remote work. These solutions are simple to use and not so expensive but are not made for information at the highest security level. Purely software-based solutions are simply not enough for providing top-level security due to vulnerabilities to advanced attacks, but they can be enough for other use cases.
Hardware-based encryption solutions are more expensive and can be a bit more complicated to handle, but if you have sensitive information or information that needs stronger protection – which makes security the highest priority – hardware solutions should be your choice.
Read more about encryption!
Firewalls
A firewall protects your network by only allowing certain traffic to enter or exit. It monitors and filters traffic based on rule setups.
With a firewall, it is difficult to know exactly what information is being exported or imported into the system. A firewall configuration often becomes complex, which increases the risk of misconfiguration. Firewalls also do not separate administration and data flow in a way that protects the information from insiders. Organisations that have sensitive information and that operate in critical infrastructure, public sector or the defence industry, need their networks to keep a higher level of security. That is why more solutions than a firewall are often needed.
Data diodes
A data diode is a cybersecurity solution that ensures unidirectional information exchange. This high assurance hardware device maintains both network integrity by preventing intrusion, as well as network confidentiality by protecting the most security sensitive information.
Data diodes are the failsafe way to protect sensitive systems and confidential data. Data diodes are small hardware devices, also called “unidirectional security gateways”, which sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction. And as it is not software, it cannot be directly attacked by malicious code, which results in high assurance.
Read more about data diodes and how they work!
Security Gateways
A security gateway is a device that controls the information exchange that takes place between different security domains.
If you have security sensitive or even classified information, you may need a solution that offers secure and filtered bidirectional communication. In this case, you need to ensure secure bidirectional communication and be sure that nothing malicious enters your sensitive networks, and that sensitive information and data does not leak to a less sensitive and less protected network.
The purpose is to apply strict information-level control during information transfers and mitigate cybersecurity threats such as manipulation, data leakage and intrusion. A security gateway only forwards received information when it complies with its policy which is derived from your organisation’s information security policy. The policy implemented in the security gateway defines accepted structures, formats, types, values and even digital signatures. When a message is sent from one security domain to another across a security gateway, information in the message is analysed according to the configured policy. Approved parts of the received message are put into a new message which is sent to the intended receiver in the other domain. In this way, you know that only allowed information crosses this boundary.
Advenica’s solution is ZoneGuard, read more about it here!
Read more about the best ways to use network segmentation.
Security culture
No matter how securely you build your network, you must make sure that your staff has a good security culture. People are the biggest risk a company has, and mistakes are bound to be made. But, with a good security culture, the risk decreases.
In a good security culture, everyone is aware of the risks and has both the knowledge and the will to contribute to reducing the risks through their actions. Security thinking is an obvious part of the business. In other words, the security culture has a great importance on how to work, prioritise and in different ways create the conditions for employees to work securely. Another thing that characterises a good security culture in a workplace is that management prioritises and handles security issues at all levels of the business and that they are part of the culture.
Some simple concrete steps that everyone can follow are the following:
- If you have something of value at home or in the workplace, you lock, have an alarm and keep track of who is allowed to come in. Do the same with digital information.
- Do not use the same password for everything – and preferably use two-factor identification when possible
- Remember to use a good password and never give out the password to anyone else
- Avoid browsing public Wi-Fi networks where security is not the best
- Do not click on links in suspected phishing emails and report to the IT department as soon as you suspect you have been subjected to a phishing attempt.
- Try to have regular boost sessions where you talk about security and remind yourself about what security policies that exist, and where you also go through the contents of these.
- Have updated devices – i.e. carry out all updates. The reason is that these updates contain security enhancements that you should of course be aware of.
Do you need help with your network security? Do not hesitate to contact us!