Contents
Peter, IT manager, and network segmentation - a practical example
This article provides a brief introduction to the topic of network segmentation and is intended for beginners. If you want to delve deeper into this topic and are already at an advanced level, continue reading in our Part 2. Click here for our advanced article
Peter is an IT administrator in a company. It is important for him to have access to the servers that he manages. In order to solve technical problems, carry out installations and maintenance and start and stop servers, he needs access to sensitive network services. Such services could include remote console access via the Secure Shell (SSH) or the Remote Desktop Protocol (RDP).
Companies have often not implemented network segmentation
The next day, Peter has to change workplaces at short notice as renovation work is being carried out in his office. Grumpy, he takes his notebook and sits down in the cafeteria to at least write a few lines in the company handbook and answer some emails. A chat message from his colleague Birgt pops up: she's working from home today.
"Hello Peter, can you give me a hand? I've been kicked out of the session and need to restart the server so that it can install the updates".
Knowing full well that he can't help Birgit from the cafeteria, he starts typing in the chat window, while Peter simply calls up the desktop icon for the RDP login as a joke. "Sorry Birgit, I'm in the cafeteria right now..."
Peter stops writing when he realizes that he has just successfully logged in to the server. But how can that be? Peter is in the cafeteria right now. After all, this environment is not safe for the administration of highly sensitive servers on which the crown jewels of the company are located: Customer data, product descriptions, price tables, even his boss's payslips are on this server.
Implement and learn network segmentation in your own company?
Our IT security experts will show you how network segmentation works in our practical workshop!
Why network segmentation is important
In the cafeteria, Peter is not only exposed to the thieving eyes of employees from other departments, but also those of external suppliers, outsiders and sometimes even industrial spies.
"That's not possible!" Peter remarks with astonishment and tries to log in to other servers as well. The Active Directory, where the employees' Windows login accounts are stored, can be accessed, as can the payroll system database. And even the e-mail server with the Management Board's messages on it can be accessed via the network.
"And all via the WLAN from the cafeteria!"
All an attacker would need now to access the servers would be Peter's password. He could either get this from him by shouldersurfing or by running a network sniffer and listening to the network traffic. If Peter doesn't log in with an encrypted protocol, but with an unencrypted variant such as RSH, he has obtained Peter's access data.
Unfortunately, scenarios like the one Peter experienced are not uncommon in companies and pose a high potential threat to IT security. Even if the WLAN in the canteen is often still isolated and can only be used for surfing, other unprotected areas such as the lobby or meeting rooms are on the same network as the administrators. This means that external parties have de facto access to sensitive company areas and data for which they only need the right access data.
Network segmentation reduces risks
As a security officer in your company, you should therefore ensure that you carry out what is known as network segmentation. Network segmentation ensures that a security vulnerability, such as an intercepted user password, cannot cause any further damage as long as the attacker does not have access to the exposed system.
Network segmentation is the division of networked components into different subnets or VLANs. Only the devices located in the same network segment can communicate with each other without having to bypass special routers and firewalls. If communication is to take place across a network segment, the firewall again decides whether this is permitted or not. This gives you better control over who is allowed to talk to whom.
Best practices for grid disconnection
There are a few best practices when it comes to network segmentation. For example, networks that external parties can dial into should be completely isolated from your company data. This means that they should not be on the same network as employees, printers, telephones or servers.
Ordinary users who use an e-mail program such as Microsoft Outlook, for example, do not need administrative access to the underlying mail server. This is only reserved for administrators like Peter.
Separation of functions through network segmentation
And Peter, in turn, does not administer all of the company's servers. Peter therefore does not need access to all servers for a long time, but only to those that fall under his area of responsibility. This is the only way to establish a clear separation of functions and prevent Peter's omnipotence from going to his head at some point.
There are also network segments in which only servers or other backend components communicate with each other. For example, if a store system communicates with the underlying database to retrieve product data and prices, nobody else has any business in this segment.
You can therefore also introduce a separation of functions through proper network segmentation: So that Peter can administer the online store, create a network segment in which Peter's admin PC and the store server are located.
For communication with the database, you put the online store and the database in a second network segment, and a third zone is added so that the online store can be used by visitors from the Internet.
In the end, the firewall decides who is allowed to talk to whom via which protocol. For example, Peter can connect to the store via SSH, while Peter can talk to the database via ODBC. Visitors from the Internet, on the other hand, only have access to the store via HTTPS.
Separate test environments from the production environment
You should also separate test environments from production environments. This is because things are often tried out and performance tests are run on test systems. If something goes wrong and, for example, a security vulnerability is introduced or the "wrong" system is tested by mistake, your testers will quickly bring the production system to a standstill.
Separate networks according to device type
Another option for separating networks is by device type. For example, why should IP phones be on the same network as a printer? Clean network segmentation prevents someone from hacking an IP phone in a meeting room and intercepting printer jobs via a second weak point and saving them to a USB stick.
The most important separation: Demilitarized zone
Probably the most important separation in your network is between your internal company network and the outside world: you should set up a so-called DMZ as a buffer between your internal network and the public Internet. DMZ stands for "Demilitarized Zone" and is a network segment that is connected to both your internal company network and the public Internet via routers. Servers that expose data to or retrieve data from the public Internet belong here. Typical examples include web servers with your company's public Internet presence, publicly accessible mail servers or a proxy server for employee Internet access.
The demilitarized zone ensures that a potential attacker who hijacks one of your servers is not immediately in the internal network and can communicate with your company's really sensitive systems. This is because it represents an additional hurdle for an attacker to break out of the demilitarized zone and penetrate the internal network.
With these best practices, you have now put the communication rules of the individual devices in order and thus established a solid wall of defense against attackers.
Grid disconnection is not a panacea
But you should be aware of one thing: network segmentation is just another line of defense in strengthening your technical IT security. Even if an attacker does not have network access to a sensitive system, you should still protect, patch and harden these systems. After all, if one of your lines of defense is breached because a firewall can be bypassed, for example, the catch networks behind it must be able to catch this vulnerability.
So always combine network segmentation with at least regular system updates, hard-to-guess access data and systems for detecting attacks.
Act now
Now it's up to you. Create a solid foundation today for securing your crown jewels and data by separating sensitive network areas from public segments. Network segmentation is the first step towards greater IT security in your company and can often be implemented on the basis of existing firewall systems in your company. As an experienced partner, we offer many years of expertise in the design of network topologies and firewall configuration and help you to create a secure infrastructure in your company.
Investing in the segmentation of your networks is not only worthwhile for your good conscience: Common industry standards for IT security, such as ISO 27001, also require the separation of networks. This step will not only help you to achieve solid IT security, but will also strengthen the trust of your customers.
Understand and learn about network segmentation in our practical workshop