Why you need to segment your network for security


Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CSO, Computerworld, InfoWorld, IT World and Network World Learn more.

Segmenting for security is a key piece of an overall defense-in-depth strategy. Here's how to accomplish it in your organization

My job over the last thirteen years as a penetration tester has given me a unique understanding of security from an attacker's point of view. I have conducted hundreds of penetration tests on organizations ranging from Federal government nuclear weapons labs, to banks, city governments, and practically everything in between. I know what makes an attacker's job easy, and what makes it difficult or practically impossible. I am oftentimes surprised that in 2014, I can gain access to one server or workstation, and use it to traverse the entire network, unhindered at the network layer.

I'm shocked that close-circuit television (CCTV) systems, alarm systems, building access control systems, and manufacturing process control systems are just "hanging out" on the corporate network for all to see. I recently conducted an assessment on a very large city. They had a flat and permissive internal network, meaning there were virtually no barriers between their different systems.

I ended up compromising literally everything. I could disable the proximity card reader on any door in the city, including the police narcotics vault, gun vault, holding cell, and many others, all because the workstation that managed the access control system was identifiable and accessible to all internal network users.

What is network segmentation for security?

Simply put, it is classifying and categorizing IT assets, data, and personnel into specific groups, and then restricting access to these groups using ingress and egress filtering. We all understand this at some level. We know that we need to put our Internet-accessible servers into a DMZ, and that those DMZ assets should have little or no access to the internal network. This way, if a DMZ server is compromised, the attacker can't leverage the access and "touch" internal systems. We know that SCADA/EMS/DCS and other process control systems should be isolated from the corporate network. Why is it that we don't do it throughout our entire enterprise?

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
From CIO: 8 Free Online Courses to Grow Your Tech Skills
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies