What is Network Segmentation?
A network segment is a synonym for LAN: It is a set of computers (computers and peripherals) connected in a network.
The LAN network of an organization can be made up of multiple network segments connected to the main local area network, so the segments can communicate with each other forming a single network that will work for the needs that the organization requires.
Segmenting the network will allow increasing the number of stations (Computers) that we want to connect to it. In this way we can increase the performance of the network, taking into account the use of the same topology, the same communication protocol, and a work environment.
A large network in an organization can consist of many network segments connected to the main LAN called Backbone, which exists to communicate the segments with each other.
In the graph, you can see two segments (which can be on two different floors of a company) composed of three computers connected to the backbone that communicates them.
Configuration of Network Devices:
To date, we have seen how to configure a DHCP relay and the configuration of our DHCP to assign addresses to the different devices within our Network deployment. To complete our configuration completely, we lack the configuration of the network devices, this part we will cover between the following 3 articles.
In order to communicate between our VLAN, we must have a device that is capable of redirecting traffic between the different segments of our network. The most logical thing is to make use of a switch with layer 3 functionality. This will be the core of our network, being able to intercom our VLAN. For the rest, we will use switches with layer 2 functionality.
Assignment of interfaces:
If we follow the above scheme, the interfaces of the Layer 2 switches corresponding to the clients must be configured in access mode for the corresponding VLAN. Thus, assigning the team’s membership to the VLAN. While those that communicate with our layer 3 device, must be in trunk mode, thus enabling the 802.1q protocol. Later we will see why these configurations.
Finally, we will have our layer 3 device, this will be in charge, as I said several times, of redirecting traffic between the different VLAN. In order to carry out this task, it will be the one that acts as a gateway for the different VLAN, therefore, in addition to having the different VLAN configured, you will also have to be able to route them, for which we will have to configure the part corresponding to the assigned routing a range and an IP to each of them in the device, being the IP that we assign that will act as a gateway for the corresponding VLAN. We must also configure a default route on this to be able to forward the relevant traffic outside our local network.
Advantages of Network Segmentation:
- Congestion reduction: Better performance is achieved since in a segmented network there are fewer hosts per subnet, which minimizes local traffic.
- Improved security:
1) Transmissions will be contained in the local network. The internal structure of the network will not be visible from the outside.
2) There is a reduced attack surface available to pivot if one of the hosts in the network segment is compromised. Common attack vectors such as LLMNR and NetBIOS poisoning can be partially relieved by proper network micro-segmentation since they only work on the local network. For this reason, it is recommended to segment the different areas of a network by use. A basic example would be to divide web servers, database servers and standard user machines, each in its own segment.
3) By creating network segments that contain only the specific resources of the consumers to whom you authorize access, you are creating a less privileged environment.
- Containment of network problems: Limit the effect of local failures in other parts of the network
- Control the access of visitors: The access of visitors to the network can be controlled by implementing VLANs to segregate the network. When a cybercriminal obtains unauthorized access to a network, segmentation or “zoning” can provide effective controls to limit movement through the network. PCI-DSS (Payment Card Industry Data Security Standard), and similar standards, which provide guidance on creating a clear separation of data within the network, for example, separating the network for payment card authorizations from the network for service point traffic (cashier) or customer wi-fi traffic. A good security policy involves the segmentation of the network into multiple zones, with different security requirements, and the rigorous application of the policy on what is allowed to move from one area to another.
- Control visitor access: Finance and Human Resources departments often need access to their application servers through their own VLAN due to the confidential nature of the information they process and store. Other groups of personnel may require their own segregated networks, such as server administrators, security management, managers and executives. Third parties are often required to have their own segments, with different passwords for managing the main network, to prevent attacks through a compromised and less protected third-party site.
Importance of reducing security risks:
IT professionals agree that network segmentation; that is, the ability to create secure “lanes” throughout the entire network for applications or services is an essential measure to reduce security risks. However, a study by Vera Quest Research, commissioned by Avaya, reveals that few companies have currently implemented this strategy, as only one in four participants recognize it.
Specifically, only 23% of respondents say they have deployed this strategy, followed closely by 22% who do not even know what can be done. The main reasons mentioned for not having a network segmentation strategy are that it is “too complicated” (35%), “very resource-intensive” (29%) and “quite risky to deploy” (22%).
The deployment of adequate network segmentation from beginning to end is a fundamental measure to address the characteristics of an omnipresent perimeter. Traditional technologies may not cover the entire network and are expensive to deploy, but end-to-end segmentation is present and arrives from the data center to the desktop computer while reducing complexity and facing operational obstacles, explains the study.