Good network segmentation is a highly recommended network security practice that requires a firewall policy known as an allow-list or whitelist. How should you go about implementing it?
What is Network Segmentation?
Network segmentation divides the network into security zones that limit the ability for malware to spread within your network. In this security model, firewalls filter traffic between security zones, preventing unauthorized access. This makes it harder for ransomware and data theft to access sensitive data. In contrast, the old network model was based on perimeter firewalls, which made it easy for an intruder to compromise additional systems once internal access was obtained.
Creating zones and building the desired firewall rules are the primary challenge. Let’s say your business uses a typical customer application based on web, application, and database tiers. To protect the database, your network security design could create a network segment for each tier and only allow traffic between the tiers needed for the service to work. In this example, the web tier can only communicate with the application tier. The application tier can only communicate with the web-tier and the database tier using specific protocols. The complication is determining what communications to permit between each tier without consuming a lot of time and without making many mistakes.
Once you’ve identified the security zones, the recommended practice uses a so-called whitelist ruleset, also known as an allow-list, to permit the network communications needed by the applications. The default action of the ruleset is to deny all other traffic. The result is a default deny condition with explicit rules to permit network flows that the applications need.
Use Network Flow Analysis Tools
Now think about all the applications your business uses and the rulesets needed to properly segment the network. Identifying flows for the main applications is generally fairly easy. But don’t overlook communications functions like voice, video (including connection setup, conferencing, and direct calling), chat applications, and SMS. Don’t be surprised by the number of back-office applications like finance, customer management, inventory, manufacturing, and facility management. Finally, you’ll need to identify the protocols used for network utilities like DNS, NTP, and network management. Getting all this right is why one of our clients took over two years to fully implement network segmentation.
Read the rest of this article on NoJitter.
Related articles: