Network Segmentation Design

VLANs (Virtual LANs) are a logical grouping of devices in the same broadcast domain. VLANs are usually configured on switches by placing some interfaces into one broadcast domain and some interfaces into another. A VLAN can eliminate the need for expensive routers and isolate sensitive company data. In such cases, placing only those users who can have access to that data on a VLAN can reduce the chances of an outsider breaching security. Utilizing Network Segmentation best practices, you minimize the level of access to sensitive information for those applications, servers, and people who don’t need it, while enabling access and network benefits for those that do. 

 

Learn how a VLAN can protect data

Learn how to protect
critical systems

 
topology_without_vlan.jpg

At a minimum, split networks into the following: 

The Production Network, which will host critical systems like file servers, SQL databases, backups, and workstations.

A second network that houses all other systems, including those that run your business such as temperature controls, QA Systems, processing controls, and labeling systems.  This is often called a SCADA network.  Ideally, an organization will have a separate SCADA VLAN for each type of SCADA systems.  This protects a refrigeration system from being taken down by a compromised vending machine.

Ideally, organizations add many more VLANs to further segment traffic.  For example, PCs can be moved to their own VLAN.  In fact, an organization should look at segmenting as much as possible to protect the systems from each other.

topology_with_vlan.jpg

IoT Security Issues and Threats

IoT creates many new security-related complications. IT administrators must now manage an increasing variety of IoT devices – some of these systems are unable to receive patches and other basic security measures. One of the most effective countermeasures to the vast spectrum of IoT threats is network segmentation, a division of a network into subnets with access control lists (ACLS) that limit the traffic flow as much as possible.

A segmented network should be created specifically for any Industrial Internet of Things (IIoT) devices such as those used to monitor, collect, process, and transmit data from a variety of intelligent sensors, devices, or machines. This assures protecting both the internal networks and the IIOT devices that are critical to the business.

Network Segmentation Advantages

Running traditional flat networks is based on an outdated assumption that everything inside the network should be trusted. By segmenting a network and applying appropriate controls, we can break a network into a multi-layer structure that hinders threat agents and restricts their movement across the network. This provides several benefits including:

  • A division of server systems, for example, protects against threat actors easily pivoting from one compromised system to a mission critical server.

  • Segmentation aids compliance by separating zones that contain data with similar requirements while ensuring that systems holding sensitive data are kept isolated.

  • The Cybersecurity Assessment tools from both the FFIEC and NIST recommend network segmentation as a mature control. Eventually, we feel network segmentation will be a requirement, especially in regulated industries.

The more you segment a network the more secure that network will be. A key challenge is avoiding under or over segmentation and maintaining the segmentation integrity over time. Segmenting dynamic environments using traditional methods of firewalls and routing can be very technically challenging but without proper configuration and network segmentation design, one infected system can corrupt the entire network and possibly shut down your business. 

Need more information on VLANs or a Security Assessment of your network?
Let ZAG help you.

Talk to one of our Technology Strategists, so we can understand your business needs and goals. 

Name *
Name