I was explaining the cybersecurity angle of Network Segmentation to a colleague the other day, when I was struck by a parallel between the goals of Network Segmentation to what we are experiencing today with social distancing.
Recently, we all have heard the reports from public health officials worldwide asserting that social distancing is the most effective method available to us today to reduce the spread of coronavirus. Similarly, ‘network segmentation’ has been used for decades, and is recognized as one of the best preventative measures against the threat of unwanted computer viruses. As concepts, social distancing and network segmentation share many common objectives; let me explain.
The Social Network
A social network is defined as a group of people based on how they relate to one another.
Each household is a social network made up a people that share a common address.
Social distancing limits the interactions of the household to the members of the household.
When you add more people, you get more extensive human networks – communities, towns, cities, states, and countries, creating a combined complex network of people. For social distancing measures to be effective in these larger human networks where intersecting paths are quite complex to track, additional strategic tactics must be imposed to enforce separation from each other. By limiting travel between these networks, a pandemic such as we’re experiencing today can be slowed (and even stopped) from spreading if the segmentation is complete enough.
The same is true with computer networks.
Enter the Firewall
The Internet created a worldwide network of connected systems that advanced the ease of interacting, cooperating and collaborating with networks near and far. This increased access also introduced the risk of exposure to actors with malicious intent.
What was the solution to manage this risk? Network segmentation. Some early adopters connected to the Internet without segmenting their network; when they did, they quickly realized that they had left their systems open to an attack from potentially any connected system. To address this threat, network operators decided to segment themselves from the Internet with a specialized network device and software known as a firewall.
This common network configuration used the terms Internet for the ‘untrusted’ public network and Intranet for the ‘trusted’ internal network, with the firewall separating them. Successful network segmentation was achieved with a firewall configuration disallowing any connection between the internal and public networks, except those that were explicitly allowed.
The number and type of allowed connections between the networks had to be strictly limited if the firewall was to provide the protection needed from the risks present on the Internet. Over time additional segmentation strategies such as establishing a DMZ between the untrusted public network (Internet) and the trusted network (Intranet) were put in place to further segment the networks and thus further reduce the risk.
Circumventing the Firewall
This segmentation is similar to what has been put in place globally, as CoVID-19 has made its way across continents.
Similar to the firewall configuration example above, most country’s default configurations were to deny all travel, with the exceptions of allowing only certain types of travel, such as repatriating citizens. Countries that took more extreme measures with travel restrictions had fewer virus transmissions. Additionally, exceptions were made for ‘low risk’ countries where the virus had presumably infected a smaller number of the population, and those countries were not initially placed on restricted travel lists.
These exceptions allowed the virus to circumvent the restrictions on international travel for some countries that were initially effective. In this way, the segmentation proved to be ineffective over time.
This is similar in nature to what is happening in many networks today. While initially, the firewall provided a secure network segmentation between the public Internet and the private Intranet, over the years, actors with malicious intent have found ways to circumvent the firewall to gain access to the Intranet.
The current most effective tactic is Phishing, but many other attack vectors have been used, such as using trusted vendor connections. What has become clear is that it is no longer safe to have a large, unsegmented Intranet. Organizations that have not already done so must now move to include network segmentation within the internal Intranet.
On the world health stage, we have learned a similar lesson.
The Balancing Act
Since we know that network segmentation has reduced risk in the past in other situations, why hasn’t every organization done more to implement additional segmentation within their own Intranet?
There could be several reasons, but the biggest contributing factor is likely the increased complexity and cost of management. When network segmentation is put into place, there is no longer free access from one area to the other.
With each level of network segmentation, the degree of least privilege is used to manage the segmentation and is usually correlated with the degree to which the segmentation will provide elevated protection from adverse events.
This same idea was also evident when additional restrictions on air travel into the US from Europe were put in place to slow the spread of the coronavirus. People trying to get home found themselves in a backlog of long, slow-moving lines.
Segmenting networks will almost always cause some level of inefficiency in managing traffic. However, just as improvements were made to reduce overflowing line-ups at airports, inefficiencies usually become better managed and less impactful over time.
There is a trade-off that becomes apparent in correlation to more rigid network segmentation. If network segmentation is complete, then the risk of a malicious event transiting from one segment to another is lowered to zero, but so is your ability to collaborate between segments. However, as you become less and less strict in the segmentation, your levels of protection are reduced.
This leads to a delicate balancing act that is continuously changing in our industry. Security professionals steadily strive to strike a balance between enabling as much connectivity as possible while also protecting the overall network from actors with malicious intent.
What is the best network segmentation strategy for your organization?
How should it be implemented in a way that will provide the least impact to your organization while still obtaining the desired risk reduction?
The answers to these questions will always be specific to each organization. But there is one thing that is clear for all organizations that have not yet planned for or implemented network segmentation: If you want to reduce the risk to your organization, don’t wait for a viral attack to act.
Make a plan for network segmentation sooner rather than later.