Background
Network Segmentation (1)
Benefits:
- Improved Security: Network traffic can be isolated and/or filtered to limit and/or prevent access between network segments.
- Better Access Control: Allow users to only access specific network resources.
- Improved Monitoring: Provides an opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior.
- Improved Performance: With fewer hosts per subnet, local traffic is minimized. Broadcast traffic can be isolated to the local subnet.
- Better Containment: When a network issue occurs, its effect is limited to the local subnet.
- The harder it can be
- For an attacker to compromise your sensitive systems/data.
- To ensure users can access all of the information they require access to.
- The more time it takes to design/manage the internal network.
Purpose
To effectively segment the network and build efficiency through the continuous monitoring and automation.
Requirements
- Automation
- Configuration: the ability to remotely manage the entire fleet of firewalls using an automation tool (i.e ansible, puppet, etc).
- Updating: push out updated images using an automation tool.
- Integration
- Monitoring: the overall health of the firewalls and the underlying hypervisor.
- APIs: to effectively monitor API integration and testing will be a requirement.
- Scalable
- Ability to add resources to increase usability.
- High Availability
- Backup/Failover virtual firewall to ensure there is no lost in service.
Goal
Note: A principle of network segmentation is to group like resources together, to minimize security overhead: Build a fence around the car park, not a fence and gate around every car. (2)
To simplify the segmentation of the network by segmenting based on the following criteria (2):
- Data Sensitivity:
- Data Centers
- Location:
- Brand Offices
- Criticality:
- Databases
Potential Problems
- Underlying failure of the hypervisor.
- Available hardware is deficient in its ability to handle the required traffic bandwidth.
References
- The Security Benefits of Network Segmentation
- Network Segmentation
- Network Segmentation