Network segmentation: It’s time to break up your network

Breaking up your computer network, or more technically called network segmentation, can help improve the speed and efficiency of your network, allow for easier management of your network, and greatly increase the security and risk posture of your organization. Be careful though because if not managed properly, breaking up your network can inadvertently introduce security risks.

Segmenting a computer network is extremely common in business environments. This technique has many advantages, a lot of which are more behind the scenes from a network, security, and risk management perspective. But what would these advantages be without the obligatory disadvantages? I won’t go into how to segment your network, as that’s a much more involved conversation. But I do hope that by the end of this post, if you’re not segmenting your network, you start thinking about it.

Computer network basics

First off, what is a computer network? At a very basic level, it’s the communication infrastructure for your environment. That infrastructure allows devices to communicate with one another and the sharing of resources. Using your home as an example, if you have a printer and people in your household can all print from it, that’s an example of devices talking to each other on the same network, sharing a networked resource (the printer). All of your devices and data are usually on a network (or networks). The Internet you have at home? Yep, that’s your home network, which you very likely have a wireless network and, even if you don’t use it, a wired network.

A business environment is no different. A business will generally have both wired and wireless networks just like you do at home. One of the most significant differences though in the business environment is the corporate network is usually multiple networks. Much like one physical computer can be made into many logical computers (using virtualization), one network can be made into smaller networks. This is generally accomplished via methods such as virtual local area networks (VLANs) and subnetting.

What network gear do I need to segment the network?

Before you start creating VLANs and subnets, you need to first understand what you’re trying to accomplish. For example your home network. Maybe you want three “networks”. One network for your personal phone and computer, one network for your guests or visitors, and one network that includes your printer and Internet of Things (IoT) devices, such as a smart TV, smart thermostat, or that fancy new refrigerator that connects to the Internet.

To accomplish creating these three networks, instead of paying your Internet service provider (ISP) for three different networks, you can log into your router or managed switch and you can “split” the network into three networks. At home, you may have an all-in-one device that includes both the modem and router. And unless you’ve had a specific need for one, you probably don’t have a managed switch. Some of these concepts you may not be able to practice at home because you don’t have the appropriate network gear but managed switches can be bought fairly cheap online if you want to experiment.

Since the focus for this post is the segmenting of a network in a business environment, I’ll bring the conversation back to that but I wanted you to know you can also practice network segmentation at home, even if only on a smaller scale. A business environment will likely have, should have, a business grade or small office/home office (SOHO) switch that will be sufficient to create VLANs and subnets.

You said something about faster Internet, right?

Well, not really faster Internet. Your download and upload speeds from your ISP are what they are. With that said, various factors play a role, such as how you have architected your network, but you may be able to segment network intensive traffic, e.g. video calls that eat up a lot of bandwidth, into its own network or route it more efficiently on the same network using Quality of Service (QoS) settings. You may also be able to take advantage of QoS to increase, or reduce, network traffic priority to certain devices.

Going back to the home network scenario, think of living with family or roommates and someone on the network is gaming over the Internet or streaming 4K movies and eating up a lot of the network bandwidth. This generally impacts the other family members or roommates as they are able to share less of the overall bandwidth. Well a tech savvy user of that network could segment the home network or alter the QoS for that individual eating up a lot of the bandwidth and reduce the priority of network traffic for that device, thus providing a more fair share of bandwidth to all other individuals in the house.

This easily translates to a business environment in which, say the marketing department, needs to send and receive a lot of high quality media. The marketing department can have their own segmented network and share a defined set of bandwidth amongst themselves, thus making available more bandwidth for the rest of the employees. These are just some examples of implementing a smart network topology that fits the needs of the business, and can save on the bottom line since the business would not have to increase the budget to pay for faster Internet speed.

And you’re saying this is more secure?

If the networks are correctly segmented, configured, and managed, absolutely it can be more secure and network segmentation is generally the primary way to design and build a secure network in a business environment. This is why often times a business will have a corporate network and a guest network. The corporate network is then further divided into multiple networks such as wired, wireless, printers and scanners, or an older server running an old operating system version that can’t be replaced because it’s a critical part of business operations.

Now you may be asking yourself “how does network segmentation make the network more secure?” Using the example of an older server running an older version of Windows, if that device is assigned its own network, a network engineer or system administrator can create various firewall rules and policies and endpoint management policies to greatly reduce any network communication to or from that particular older server. If implemented properly, the risk is greatly reduced of having an older Windows operating system on an older server on your present day network.

Time for the disadvantages

As I’m big into analogies, think of having only one vehicle for all your needs: commuting to work, getting groceries, transporting the family around town, off-roading, and mudding. The advantage is you only have to maintain that one vehicle: one date or defined mileage to change the oil, when to replace one air filter, when to rotate one set of tires. While it’s easier to maintain only that one vehicle, you generally don’t want to be taking the family vehicle out rock crawling. So you make the decision to buy another vehicle for your recreational activities. Great! Problem is, you now have two vehicles. And while each vehicle is much better at accomplishing its intended tasks, that means you have two sets of oil change dates, two different types of air filters you have to buy, two different sets of tire pressure values, so on and so forth. As you can see, this can quickly escalate when it comes to properly maintaining both vehicles.

This is no different when you’ve segmented your network. Depending on the size of the organization, it’s not uncommon for a business environment to have dozens of different networks. And THIS is when and why organizations get themselves into trouble. Each network has to be maintained and periodically checked for proper configuration, security and compliance. An organization only has to miss a single, seemingly insignificant, detail in order for a bad actor to take advantage of a misconfigured, or improperly configured network. If your network engineer or system administrator forgets that one little detail on one of the networks then BAM…that is the “in” for the hacker or bad actor. Now an unauthorized individual is inside your network, more often than not for months before someone realizes it.

Breaking up can be a good thing

Organizations have anywhere from hundreds to literally hundreds of thousands of vulnerabilities at any given moment. A lot of these vulnerabilities are exactly what a bad actor takes advantage of to embed themselves in a network for months before their activity is noticed. Networks, and the devices on those networks, need constant care, maintenance, and monitoring. Each network, segmented or not, needs to be continuously scanned for suspicious activity, vulnerabilities, or misconfigurations that may inadvertently expose the network to risks, both externally and internally.

While a lot of organizations can’t afford 24/7 monitoring, they must do the best they can with the resources at hand. Proper configuration of your alerting and monitoring tools can help immensely when paired with an analyst or engineer that understands how to review the data and alerts. This too, though, requires its own constant review and human capital. And this is just part of the reason why defending a network is so complicated for organizations, small and large.

Even multinational organizations that spend millions of dollars per year on information security, given enough time, will fail at protecting information and resources.

OTH Consulting

Technology Risk Management. Simplified.