Remember the speed-dating craze? Do you recall how it was not only ideal for encouraging fast connections, but also rapid-fire information exchange? Or how it was terrible for preventing viruses and sickness from spreading to everyone? Well, guess what? Your flat network, without any boundaries, behaves in the exact same way!
Hopefully, you’ve read our helpful tips and tricks for spotting tainted emails in the previous topics, and what to do when havoc breaks loose. You have written them down, and keep them under your pillow at night. Majestically standing on your front porch each morning as the sun rises, you recite them aloud, again and again. You reflect on them, as you sip your steamy hot beverage. Security awareness is your life now-
-We’re just kidding! Back to reality: You are human, and make mistakes like the rest of us.
The next topic in this series is about how you can create boundaries using Network Segmentation. This tool should limit the mobility of malware and attackers alike after someone makes that mistake, and the threat is inside your network.
Disclaimer: This task can be exactly as complicated as it sounds, depending on the size of your network. Entire careers have been spent focusing on designing efficient-yet-secure enterprise networks.
However, the same best practices can apply to a network of almost any size.
We’ll discuss how attackers leverage a flat network to survey and move around. Then, we’ll discuss the concepts and importance of internal network defense.
Open Work Space
Attackers and malicious code take advantage of networking protocols used for identification rather than authentication.
For example, say a computer needs to communicate with another computer on the same network that it doesn’t know. It first sends out an Address Resolution Protocol (ARP) broadcast to determine the Media Access Control (MAC) address of the device associated with the destination Internet Protocol (IP) address.
This situation would be like meeting someone on a blind date at a huge and busy restaurant. You know each other’s name, but don’t know what he or she looks like until you yell “Ross!” or “Rachel!”, and see who responds.
Imagine a network in which every asset (computers, servers, printers, cameras, etc.) belongs to the same sub-network. One big family of computers, with your valuable data, all sitting around the same table.
Unfortunately, the operation of the ARP protocol makes the task of surveying and gaining access to an attack surface of this network quite easy.
“How?” you ask; because all of these computers are equally visible from any spot on the network. There are no boundaries.
It turns out in our dating scenario that “Ross” could be horrible for “Rachel,” or maybe it’s “Brian” pretending to be “Ross” in his stead. In either case, you probably don’t want “Rachel” to be so accessible. How could we keep “Ross” and others from violating “Rachel’s” boundaries?
Creating Boundaries Through Network Segmentation
In most business networks, each computer doesn’t need to communicate with every other asset. At your average company, HR workstations would not need contact with Inventory databases. Additionally, back-office printers would not need to exchange data with Point of Sale machines.
Segmenting networks into VLANs (Virtual Local Area Networks) and associated sub-networks is a means of creating boundaries between assets.
You can group these by various business functions, and even further group them by services those assets provide. Businesses should configure some zones to communicate with one another while denying others, driven by business needs.
Grouping abilities are made possible with effective Access Control Lists (ACLs) and firewall appliances regulating traffic between VLANs. Each network segment can become a security zone.
Imagine Romeo is creeping on the club dance floor, and he spots Juliet. She enters and enjoys the VIP space as she hangs out with Rachel. Romeo tries to walk into the VIP zone, but the bouncer denies him. He’s not on the list; Juliet’s beyond the boundaries for Romeo, and content in her segment of the club. Does your network deserve anything less secure than that?
Avoid Courting Disaster
Network Segmentation is not a catch-all, and won’t keep a determined hacker from compromising your system, by any means.
However, these tools are intended to provide additional boundaries, and a layer of defense to hinder attackers and slow their progress. You have a much greater chance to intervene and prevent further damage to your network with proper activity monitoring in place.