Thursday, May 16, 2019

Network Segmentation Plan Part-1



Background
Network Segmentation (1)
Benefits:

  • Improved Security: Network traffic can be isolated and/or filtered to limit and/or prevent access between network segments.
  • Better Access Control: Allow users to only access specific network resources.
  • Improved Monitoring: Provides an opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior.
  • Improved Performance: With fewer hosts per subnet, local traffic is minimized. Broadcast traffic can be isolated to the local subnet.
  • Better Containment: When a network issue occurs, its effect is limited to the local subnet.
Cons:
  • The harder it can be 
    • For an attacker to compromise your sensitive systems/data.
    • To ensure users can access all of the information they require access to.
  • The more time it takes to design/manage the internal network.

Purpose
To effectively segment the network and build efficiency through the continuous monitoring and automation.

Requirements

  • Automation
    • Configuration: the ability to remotely manage the entire fleet of firewalls using an automation tool (i.e ansible, puppet, etc).
    • Updating: push out updated images using an automation tool.
  • Integration
    • Monitoring: the overall health of the firewalls and the underlying hypervisor.
    • APIs: to effectively monitor API integration and testing will be a requirement.  
  • Scalable
    •  Ability to add resources to increase usability.
  • High Availability
    •  Backup/Failover virtual firewall to ensure there is no lost in service.

Goal
Note: A principle of network segmentation is to group like resources together, to minimize security overhead: Build a fence around the car park, not a fence and gate around every car. (2) 


To simplify the segmentation of the network by segmenting based on the following criteria (2):
  • Data Sensitivity:
    • Data Centers
  • Location:
    • Brand Offices
  • Criticality:
    • Databases

Potential Problems
  • Underlying failure of the hypervisor.
  • Available hardware is deficient in its ability to handle the required traffic bandwidth.

References
  1. The Security Benefits of Network Segmentation
  2. Network Segmentation
  3. Network Segmentation