Compartmentalization
Anyone who knows me will be able to attest to the fact that I have at least a touch of the OCD. Most of those people will probably tell you it's more than just a touch. In any case, I like things to be neat and orderly. When looking at networks and security, this usually translates into splitting up an otherwise monolithic network into smaller, more manageable chunks.
If you look at the design of a submarine, the vessel is divided into many different compartments, usually grouping like functions into a single physical space. Between all of these sections there is a thick barrier with heavy doors which can be locked down at a moment's notice. Why is that? Well, if they spring a leak somewhere, the Navy prefers that the entire crew doesn't drown.
The same principal should be applied to most business networks. Splitting things up along the lines of security, functionality, and physical location can yield a much more secure and manageable network. If it's done right, it will be transparent to everyday business, but be a serious barrier to anyone attacking the network. It will also make monitoring of network traffic much easier, as all traffic traveling between segments will be traveling across a device which should be able to do some accounting and reporting.
In my personal experience, I've seen absolutely enormous (>6000 hosts) networks set up as a single, switched subnet. The more average case usually involves 100 or so devices total, and sometimes multiple locations. Whatever the size or configuration of the network (aside from the really small <10 devices networks, of course), there is usually some split that can be made to improve it. At the very least, I push customers to move administrative interfaces of all devices that have them to a different network. Every network I've ever run in to has at least one device with a web or telnet administrative interface on its internal network. Most IT managers never think that the secretary or the accounting guy will ever want to or be able to do anything with those interfaces. The issue is, that if an attacker manages to get inside, those administrative interfaces are up for grabs along with everything else. Furthermore, if someone on the inside stumbles across one which isn't properly secured, malice isn't required to cause some serious down time.
When performing a vulnerability assessment on your organization and network, it is very typical to consider only the inbound attacks (even those coming from the inside). However, it is critical to consider what would happen should an attack be successful. What if every other layer of defense failed to block or even notify you of an attack. What keeps an attacker from moving around within your network and further compromising your organization once on the inside? Well, a properly segmented network can help there. If traffic between segments of your network are limited only to what is needed, it is considerably less likely that an attacker will be able to attack or move any data between segments. Furthermore, if all segments connect only through a firewall with an IDS/IPS, there is a much higher chance of catching the attacker traversing segments.
The down side of segmentation is that it requires a fair amount of work up front, and it forces you to know everything about your network. The latter isn't really a down side as I see it. But it does mean extra work, and extra work is generally considered a bad thing in the IT world. As network devices go, midrange UTM-type firewalls with 8 interfaces or more aren't very expensive ($3000-4000) when compared to other network devices, but they will provide you with more visibility and security than pretty much anything else.
Leave a comment