Network segmentation is when you separate different network devices (PCs, printers and other network-enabled devices) from one large local area network (LAN). The separated groups are called Virtual LANs or VLANs. This is so different groups of systems cannot interact with others, this can stop malicious users or malware spreading throughout the network without restrictions.
Host isolation is where a system cannot see any other devices. For example, it cannot send files or access the remote desktop service on a network. If machines cannot interact, they cannot be used to spread viruses.
Now let’s look at a standard small company network:
- Guest Wi-Fi, which you normally give out to other companies that come onsite, customers or even personal devices your employees wish to connect to the network.
- Staff Wi-Fi/LAN. This is your company network that your employees use from day to day.
- Servers. All users should have access to this, being able to share files and save their daily work.
- Private servers. Only high-level staff require access to these as they could contain your staff payments database, company HR documents or even access to private, sensitive information.
Think of your network like a bank. You have four different areas in the building:
- The lobby, where your customers are.
- Behind the tills, where your customer-facing staff are.
- Your management rooms, where only trusted employees should have access.
- The bank vault, where all the money is stored.
In this scenario, you don’t want the vault door to be open in front of the customers even if they are law-abiding citizens, it only takes one mistake or one malicious act and all the money can be taken. You also don’t want the customers to see each other’s bank account details.
Now that we understand how your company network is split up in the eyes of a penetration tester, you are probably asking “what can I do to ensure our network is setup correctly and securely?” This is where we apply network segmentation and host isolation.
While every company network is different and there’s no one solution, we can explain what steps should be put in place to ensure you can plan and find a working solution with examples how this may be implemented.
Initially, you want to break down your network into smaller, manageable groups. While you may feel separating every machine up is the best security, it would mean the network would be highly impractical. Talk to your staff and work out what access they require to do their day-to-day job. Ensure the network is as simple as you require but decide what systems should be able to interact with each other. As per the example above, you do not want any guest Wi-Fi users to be able to see your domain controller. Once you’ve made your list and organised the categories, you can plan your new network layout with a chosen private IP range setup you require, such as the following;
- 10.0.1.0/24 : servers.
- 10.0.2.0/24: IT staff/staff machines with required access.
- 10.0.3.0/24: programming staff machines.
- 10.0.4.0/24: sales staff machines.
- 10.0.5.0/24: staff Wi-Fi if you trust employees with BYODs.
- 10.0.10.0/24: printers/mail server.
- 10.0.15.0/24: guest devices.
Planning and separating things up makes diagnosing security incidents easier as, if you see in the logs an attack happened from the 10.0.3.0, you can quickly pinpoint that the attack has originated from a programming staff members machine. This could indicate an insider threat or potential malware outbreak but ensuring users can access the required servers and devices is entirely down to you. While every company is different and staff requirements can differ, completely ensure your plan works for you.
Once you have your plan, you need to setup and block access between the VLANs. This can be done in a number of methods but most commonly is to setup VLANs on a dedicated network switch with a firewall. Doing this, you can give access between the VLANs that require access. During this, ensure you test and communicate with your staff, ensure you are setting this up correctly, your staff will be the first to know if they cannot do their job due to a misconfigured VLAN. (We’ll cover how to do this correctly on a future blog.)
Once it has been implemented and setup correctly and work is continuing smoothly, all you need to do is maintain this as your network grows. Don’t start opening new routes or putting a new Wi-Fi point in on the 1.0 range. Like all IT equipment and setups, it requires maintenance and as your company grows new plans need to be put in place. Ensuring you have good documentation is key keep your VLAN plans and documentation with your network diagram so when you need to change your setup, you’re not going in blind.
Guest devices can be malicious so ensuring these cannot view or access other devices means they cannot spread malware or directly attack your network. Restricting access to key servers to trusted staff stop the possibility of a staff member or guest taking copies of your company’s sensitive data. VOIP systems almost always require their own VLAN. This can be beneficial for both security and functionality separating that traffic from the rest of the network. Any device that you don’t own should not have free, network-wide access if you trust the person or not, hackers can always target them as a way in.
How Can Samurai Help?
Testing network segmentation comes as part of a penetration test. We can help by engaging with you on your design and implementation of the segmentation to ensure your key network areas are fully secured, all whilst not impacting your business continuity. We can also test the implementation of the network segmentation to ensure none of the issues raised above have found their way into your setup, ensuring your network is fully segmented and secured.