Network segmentation

Network segmentation in computer networking is the act or profession of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security.

Advantages

Reduced congestion: Improved performance is achieved, because on a segmented network there are fewer hosts per subnetwork, thus minimizing local traffic
Improved security: Broadcasts will be contained to local network. Internal network structure will not be visible from outside
Containing network problems: Limiting the effect of local failures on other parts of network
Controlling visitor access: Visitor access to the network can be controlled by implementing VLANs to segregate the network.

Improved Security

When a cyber-criminal gains unauthorized access to a network, segmentation or “zoning” can provide effective controls to limit further movement across the network.^[1] PCI-DSS (Payment Card Industry Data Security Standard), and similar standards, provide guidance on creating clear separation of data within the network, for example separating the network for Payment Card authorizations from those for Point-of-Service (till) or customer wi-fi traffic. A sound security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.

Controlling Visitor Access

Finance and Human Resources typically need access via their own VLAN to their application servers because of the confidential nature of the information they process and store. Other groups of personnel may require their own segregated networks, such as server administrators, security administration, managers and executives.^[2]

Third Parties are usually required to have their own segments, with different administration passwords to the main network, to avoid attacks via a compromised, less well protected, third party site,.^[3]^[4]

Means of Segregation

Segregation is typically achieved by a combination of firewalls and VLANs (Virtual Local Area Networks). Software-Defined Networking (SDN) can allow the creation and management of micro-segmented networks.

However, a VLAN on its own is unable to enforce the control of privileged information - it doesn't understand applications, users and content.^[5]

References

↑ Improving Security via Proper Network Segmentation", Nimmy Reichenberg, March 20, 2014, Security Week, http://www.securityweek.com/improving-security-proper-network-segmentation
↑ "Segmenting for security: Five steps to protect your network", Network World, 24 November 2014, http://www.networkworld.com/article/2851677/security0/segmenting-for-security-five-steps-to-protect-your-network.html
↑ "Target Hackers Broke in Via HVAC Company", Krebs on Security, 05 February 2014, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
↑ "Target Breach Statement", Fazio Mechanical Services, http://faziomechanical.com/Target-Breach-Statement.pdf
↑ "Network Segmentation/Zero Trust", Palo Alto Networks, retrieved 15 March 2016, https://www.paloaltonetworks.com/solutions/initiatives/network-segmentation.html

This article is issued from Wikipedia - version of the 3/31/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.