Overview
Network segmentation is one of the fundamental concepts in cybersecurity and the term micro-segmentation is thrown around a lot. But what exactly is network segmentation and how does it help? In this article I’ll go into how this factors into Zero Trust and Cybersecurity philosophy.
Network segmentation analogy
Let us start with an analogy that people without a network engineering expert can connect with. Picture a multi-story office building, or better yet a whole campus of large multi-story buildings. Each floor is the new age open floor plan, which anyone who has experienced hates. For those that have not experienced it, count yourself lucky. What we are talking about is a large floor, hundreds of square meters large, with absolutely no separation or offices. Just endless rows of tables with a worker at each table. You end up with thousands of workers busy working on their projects all in one large, shared space. This type of setup is incredibly loud and offers no security as anyone can listen in on any conversation. The only way to make this worse is to scatter each team throughout the floor so in addition to all the noise from conversation and other work, you have all sorts of foot traffic as folks move around to collaborate.
Now picture this same floor divided into rooms. Even if each room is large, it helps a little, the smaller the rooms get the quieter the workspace gets. If you plan the room assignment well so that each team is in one room, and teams that collaborate a lot are in close-by rooms, you cut down on foot traffic and other noise.
This is network segmentation in essence.
Secure network segmentation
Network segmentation by itself provides no security by itself, it just manages the network traffic and network flow, which just as in office planning is very important even if it does not add to security.
If we go back to the analogy above, imagine none of the doors in the office buildings have locks. Anyone can go anywhere, even people off the street can just wander in and go anywhere they want. This is obviously not very secure, regardless of how well the floors are laid out. While the chatter and general noise level have gone down, everyone can still wander into any room and listen in on any conversation. If the room is sufficiently small and folks are paying attention, it’s easier to spot an eavesdropper but an unlocked door does not stop eavesdropping.
The same goes for securing property as well as for network segmentation. Leaving stuff out in the open in the common area invites theft. Putting the property into a paper filing box in an unlocked room doesn’t provide much added security. It is what is referred to as “security by obscurity”, by not having it out in the open means the thief has to look for it or know about it, which is a very easy hurdle to overcome. This has a direct correlation to the online world, including network segmentation.
Now imagine every door getting a lock installed with one of those card readers, so you cannot get anywhere without your access card. Your access card is programmed with permissions so that you can only go where you have business going. You can get to the room where your desk is, and the rooms for the people you need to work with, the cafeteria, and that is it. Now you have secure segmentation. We need to translate this to the concept of network segmentation.
Now imagine that at the front entrance, there is a security guard who makes sure you are who you say you are and that you truly have business in this building. Now you have upgraded from what is called a layer four firewall to a layer seven firewall. If the security checks your person and your bags for contraband, now you have deep packet inspection going on, or DPI. If there are guards at the exit that check that you are not leaving with stuff that is not yours, that is called data loss prevention, or DLP, in the networking world.
Adding those security guards in front of the most sensitive areas of each building is a really great idea. This is called layered defense. If the security guard at the front door misses something or is taken out by hostile actors, there is another layer of defense before those hostile actors can reach the crown jewels. For the truly sensitive areas, have another set of security guards inside the secure area guarding the sensitive room. Not only does this layered defense increase the chance of the hostile actors not reaching the crown jewels but it also slows them down, giving backup teams time to respond and take them out.
Micro-segmentation
While the picture I painted above sounds very much like an action-adventure heist movie. In reality, large companies with a lot to protect are not (or should not be) any different whether what they are protecting is physical or electronic. The only difference is in the details. To protect electronic assets, you do not need armed guards, you use firewalls. Instead of physical rooms, you use VLANs. Each VLAN becomes a segment in your Network Segmentation, connected together with a firewall.
You would never see a bank just have one large room for all their valuables, you see them locked away in a vault. You do something similar for your electronic valuables.
Micro-segmentation is normal segmentation with a reminder to keep the rooms very small. For your crown jewels think of safe deposit boxes inside of a vault guarded by an armed guard, not a paper filing box on an open shelf in the communal area.
Technical details
To start with IP addressing, aka subnetting, does nothing to either segment or secure your network. Generally having multiple subnets on a single VLAN is considered a bad practice. There are very few reasons for doing this and none of them are good, there is always a better solution. The best analogy I can come up with for this is putting Spanish, English, French, German, and Italian speakers all in one room. Just a bunch of noise that most folks don’t understand. Much better to have a dedicated room for each language. Not a perfect analogy but it gets the message across.
Network segmentation is the start of making your network secure, but it does not do anything without you building security into it. Network segmentation is done by using multiple switches or using technology called VLAN which stands for virtual local area network. VLAN is to network what VMWare is to compute, it allows a switch to act like multiple switches. Once you have VLAN’d off your networks and grouped your servers logically into each VLAN, whether the VLAN is secure or not depends on how they are connected together. If they are simply routed together, or worse yet bridged together, they are about as secure as a door without a lock. To secure them you need a firewall to connect them.
VLAN Strategy
Office Space
So, start by grouping all your IT assets (laptops, workstations, servers, Smart TVs, card readers, security cameras, etc.) into related groups and create a VLAN for each group. Naming the VLAN according to what group it contains will really help you down the line, avoid using the default vlanxx (i.e. vlan15) as the VLAN name. Laptops, workstations, printers, and wireless access points should be on their own VLAN. For larger office campuses it would even make sense to have a separate VLAN for each floor in the building, or even each wing of the building. Equipment the average employee should have no access to, such as security cameras and card readers should be in their own VLAN. IoTs such as Smart TVs should have their own VLAN.
Datacenter
The take your network segmentation efforts to your datacenters. Start by grouping all your servers based on the function or application they provide, remember to keep the groups as small as practical. An internal app that has a handful of servers, a mixture of web and database servers, could go into one group. A large external application that is multi-tiered, with many server farms should probably be grouped by tier, and maybe even each server farm inside each tier could have its own VLAN for proper network segmentation. The database tier and the front-end tier should absolutely never be grouped together. Ideally, the middle-tier server farm should have its own VLAN.
The servers that house the most sensitive data, the crown jewels so to speak, should absolutely be in their own VLAN. If you have multiple levels of sensitivity, then you should have the same number of sensitive VLANs.
Security Zones
Basic zones
The next step in your network segmentation journey is defining your security zones. At the very least you need three zones:
- External Zone: These contain the assets that need to be directly accessible on the internet.
- DMZ: This is the zone that connects the external zone to the internal zone. Middle-tier application layer servers go here as well as other assets that the external facing assets need to access but should not be directly accessible on the internet.
- Internal Zone: This is where everything else goes.
Most organizations will want way more security zones. In order for your network segmentation to have the biggest impact on security, think about creating a zone for each VLAN or groups of VLANs. Security design always has to manage a good balance between security and usability (which includes manageability and scalability) and secure network segmentation design is no exception. This setup is analogous to a company with a lobby where a receptionist or a security guard checks you in and lets you into a secure waiting room. Once you are taken from the waiting room and into the building there is no security, and you can go wherever you want.
A best practice is to have a dedicated firewall for these three zones. For increased security have the external firewall be from a different firewall vendor than your internal firewalls. The thinking here is that any exploit that works on your external firewall won’t work on your internal firewalls and vice versa. This might stop any adversary from getting further than your DMZ, or at the very least slow them down.
Internal Zones
The next step is to take your VLAN list and break them into security Zones, this is usually a one-to-one ratio but there could be cases where you’d want multiple VLANs in one zone. This is analogous to looking at your floor layout and deciding which doors should get a lock.
Sensitive Data Zones (aka crown jewels)
For those that are extra security conscious, group security zones into their own zones. For example, you have multiple levels of data sensitivity, so you have multiple sensitive/secure VLANs. In this case, you have one security zone for each VLAN and then you group those zones into one security zone.
This is like having a vault in a secure section of the building, you can’t even get to the area where the vault is without having to check in with security, this is after having gone through security in the building lobby. Then when you get to the vault you have to go through security yet again before you can get to your safe deposit box.
In this setup, all the different security zones should be on their own firewall, ideally a third brand different from the internal firewall and the external firewall.
Your data classification, risk appetite, and other security principles should dictate exactly how you do this. One example of how this might look in real life is having a separate security zone for all your PCI servers and a different zone for all the company’s top secrets and intellectual property. This is where network segmentation gets a little personal as you have to adopt it to needs of the business.
Access Control List
After you’ve figured out VLANs and grouped them into the appropriate security zones, you need to figure out what needs access to what. In the networking world, it is way too common to go through all the trouble of installing all sorts of fancy locks on all the doors and then never locking them. Just like a door lock that isn’t locked doesn’t do any good, a firewall zone that allows everything is useless.
This can often be the most challenging part of the whole process as it means you need to know exactly who needs to talk to who, what the application communication flow is, and what TCP or UDP port each flow using.
Exactly how this looks like will vary from firewall vendor to firewall vendor. In essence, you’ll end up with a table that looks something like this.
| Source | Destination | Protocol | Port |
| 10.15.16.17 | 10.2.3.1 | TCP | 443 |
| 192.168.1.15 | 10.1.5.6 | TCP | 3306 |
| 172.16.15.18 | 10.25.35.15 | TCP | 5306 |
| 10.11.12.13 | 172.16.13.8 | TCP | 443 |
Once you have this then your network engineers can start building your VLANs and the firewall engineer can build your security zones, connect the right VLAN to the right zone and configure the permissions on each zone.