Example implementations of network segmentation and segregation
Segmenting a network to protect key hosts
In this scenario an organisation had decided to segment their network to protect key hosts from a network intrusion. In doing so they implemented the following security measures:
- compiled an inventory of key hosts documenting their sensitivity and any necessary communications with such hosts
- planned the introduction of security measures in a schedule that was achievable with the resources allocated ensuring sufficient testing prior to deployment
- restricted logical network connectivity to key hosts to only those ports and protocols that were essential
- only allowed connections to be established from more trusted to less trusted zones and not vice versa (with the exception of necessary user access to application interfaces)
- whitelisted application layer content so that only required content was able to flow between different trust zones
- implemented multi-factor authentication in addition to using a separate set of credentials for users and services if their function was more sensitive than other users or services sharing the same host or network
- minimised the use of implicit trust relationships between hosts in the same and different trust zones (the trust relationships defined across different trust zones were implemented such that each side of the trust relationship authenticated and authorised the other)
- implemented Web, email and file content filtering for connections to external organisations and the Internet to detect and sanitise potentially malicious content
- applied intrusion prevention and host-based antivirus to detect and quarantine identified malicious content
- implemented centralised logging, alerting, monitoring and auditing capabilities which were the responsibility of a dedicated security operations team.
The above list is not an exhaustive set of security measures; however, it is a realistic overview which demonstrates that network segmentation and segregation must be considered at all layers to be effective. Implementing a secure network architecture is never as simple as implementing a gateway firewall with restrictive access control lists.
Segregating high-risk applications from a network
In this scenario an organisation had identified that most of their network contained sensitive information and segmenting the network or segregating all of that information was not cost-effective. Instead, the organisation chose to segregate high-risk applications (i.e. web browsers, email clients and content management systems) from the rest of the network. In doing so, they implemented the following security measures to maintain business requirements while reducing the risk of a successful network intrusion:
- Users requiring internet access launched a remote desktop application on their corporate workstation to access a virtual desktop and authenticated with a user account used only for that purpose. This virtual desktop was served from a dedicated server hosted in a different network segment within a different authentication domain. This dedicated remote desktop allowed users to conduct high-risk activities such as web browsing and reading emails while limiting the utility of a single compromised application to an adversary.
- Users requiring access to high-risk applications launched a local virtualisation application to run a hardened virtual host which connected to a less-trusted remote environment which was protected by a layered security gateway that broke apart and abstracted all necessary communications protocols between high-risk applications and the organisation’s corporate network.
Summary of example implementations
The key takeaway from both approaches was that users did not store or process potentially malicious data directly on their corporate workstation or use the corporate servers which were relied upon for sensitive and business-critical functions. Each user’s interaction was with a remote desktop or application and, if required, output was sent back to the user through a sufficiently structured and limited capability that prevented malicious code from executing or propagating throughout the corporate network.
It is important to remember that when implementing security measures an organisation will incur a resource cost to ensure that the additional systems are appropriately maintained. As with other technology assets, these security measures should be managed and monitored, with security patches applied as soon as possible after release.
Finally, it is recommended that all web browsing environments should be non‐persistent, rigorously hardened and subject to regular technical security assessments. Therefore, if the web browsing environment does become compromised with malicious code, the infection is quickly removed when the user completes their web browsing session.