In a world that has seen exponential growth in cyber security threats, network segmentation limits an attacker’s movements, protects proprietary information and prevents unauthorized access to sensitive data. The process brings together logical groups of users, applications and assets. It then ensures that these groups don't interact unnecessarily with one another. The key is to balance segmentation for cyber security with the organization's need for agility and rapid workflow. It's a long-term process, and the implementation timetable will differ depending on the size and complexity of the organization.
1. Take an Inventory of Machines
Few organizations know exactly how many machines they own. They also may not know who's using those machines, and they may not even know where to find what they have. For this reason, taking an exhaustive inventory of every machine is crucial to starting the network segmentation process. These machines may fall into these categories and more:
- Windows and UNIX servers
- Development servers
- Financial servers and workstations
- HR servers
- Security devices
- Other network infrastructure
In particular, pay attention to equipment that’s controlled by system administrators. One compromised system administrator laptop can give an attacker access to a wide range of functions and employee credentials.2. Decide How to Protect Each Machine
A Windows server in one location may not need the same level of protection as a Windows server in another location. Therefore, after taking a machine inventory, categorize the machines according to the type of protection that each machine requires. Once you know what you have and what it does, then you can make decisions regarding how to protect each asset.
3. Take an Inventory of Personnel Including Which Machines They Can Access
Make a list of every person in the company and which machines they can access including workstations, notebooks and mobile devices. Then, ask yourself whether these people actually need every machine they have. In the previous step, you decided how to protect each machine according to its characteristics and functions. Now, make more decisions about protection by factoring in whether the receptionist or the CEO is using the machine.
4. Create an Initial VLAN to Isolate a Low-Maintenance Group
Instead of trying to tackle a company-wide segmentation, start by creating a virtual LAN (VLAN) for a low-maintenance group of workers. Good choices include the legal department, accounting and human resources. Start by monitoring the group and monitoring all traffic in and out of the servers so you can understand what the group accesses and how workflows actually happen. As you learn to understand your initial group, you can expand your segmentation efforts to other groups.
5. Create a Default Deny Ingress Rule for Each Group
Starting with your pilot group, develop a default deny ingress rule so that other users, machines and applications can't interact with that segment of the network. Every time you implement a new default deny ingress rule, prepare for some problems. For instance, if the CEO can no longer access a desired financial report, prepare to apologize profusely and to quickly fix the problem.
6. Prepare for New Equipment Needs and Personnel Training
Old equipment may not be able to handle your segmentation. For example, you might have to purchase a new router if the old one can't implement your new access control list. Also, you'll have to train personnel to navigate through your segmented network. They should understand why they no longer have access to certain areas.
7. Refine Your Groups Over Time
No matter how much time you spend trying to understand business drivers and workflows, you're going to make mistakes that people will find disruptive. Refine your group structure and protection strategies as you learn, and give yourself a generous timeline to implement a full network segmentation strategy.
