Security by Segmentation: The 3-tiered Network Architecture
Hi there! I am a curious techie. My spare time is spent with books.
Introduction
Malware infections are known to spread quickly within networks. This is better known as lateral movement.
To combat this type of spread, security teams employ a variety of measures, one of which is Network Segmentation.
Network Segmentation on its own isn't done as a security measure, but for easy network management. However, an unintended consequence of network segmentation is security.
This article explains what network segmentation is, how it works, and the 3-tiered network architecture.
What is Network Segmentation
Network Segmentation is a method of dividing a network, usually large, into smaller parts or bits, each part handling a particular traffic flow.
Network admins often use this to help them find ‘breathing space’ in networks that otherwise would be too congested to be properly managed. For instance, in an enterprise organization, a single network can be divided into 4 subnetworks with different parts of it managing company-owned devices, employee-owned devices, internal servers and devices, and guest devices respectively.
This configuration can be robust enough that any device that isn't supposed to be on it would not be able to connect to the network, effectively cutting off potential communications with any device on it.
What is a Network Architecture
A network architecture is how a network is designed and built. It comprises all that is on the network and how communication flows among the components of that network. In simpler language, a network architecture is the blueprint of the network.
Understanding your network architecture is the first step to having a properly segmented network.
Setting up the architecture of your organization depends on a couple of factors, including, but not limited to, the size of your organization, the end goal of your organization, and what your security posture looks like. To get a better understanding of network architecture, check this article.
The Three Tiers of Network Segmentation
Placing networks in tiers is an approach to creating robust networks that not only serve as an easy template for designing the architecture of your network for management, but also serve as a way to effectively contain the spread of malware or threat activities, ensuring that the most critical aspects of your business stay safe during an attack.
This idea of network segmentation involves three ‘broad’ tiers: The Outside Network, the Middle Network, and the Internal Network.
The Outside Network
This part of the network handles devices and communications that are internet-facing and, thus, prone to malware and threat attacks. It is configured to hold devices that hold low-risk data. This is also the part to which guest devices can be connected.
Suppose your organization has a BYOD policy in place, and an employee brings their device to work, they ideally should be on the outside network, as security measures like Endpoint monitoring won’t be running on the personal computer of an employee.
Having an outside network can
The Middle Network
This part of the network serves the role of a mediator. It allows connection and communication of internet-facing channels and services to be accessed by employees.
It is at this tier of the network that the concept of a DMZ is often found. It is configured to be a filter, which is why services like mail are often used on this network.
In some organizations, remote work is sometimes done from this tier as it is very secure, but untrusted.
The Internal Network
This part of an organization's network is where the most critical network connecting assets is.
Configured to be highly secure and not to have any direct communication with the outside network. Servers, Databases, and company-owned computers operate on this network.
Why Segment Networks?
Effective Management:
Network admins use segmentation to have granular control of networks. With proper network segmentation, it becomes easier to zoom into a network, create custom rules for separate networks using tools like Ansible and Python.
Security:
As we have seen in this article, security is a reason some organizations segment their network.
Although even in cases where security isn’t part of the goal, it is an automatic byproduct of good network segmentation, as communication rigidity between different segmented networks ensures that the most important assets are preserved in cyber attacks, and that infected devices get contained quickly.
Troubleshooting:
Since a segmented network is granular in nature, troubleshooting an issue takes less time and becomes more effective.
Less Downtime Intervals:
Suppose you need to make a fix or an update as part of your role as a network engineer or admin, you may need to make the network unavailable for the duration. However, with a segmented network that acts independently, taking one part of the network off production won’t affect the others.
How to Segment Networks
Start by identifying your assets:
It may surprise you that many organizations aren’t aware of the devices running on their network. That blindness is often what leads to easy break-in for attackers, and in many cases, persistence—something threat actors love so much.
Classify them:
Now that you know your assets, you need to classify them. Classifying your network devices allows you to know which ones go into where, as critical assets would often go to the internal networks.
Find a segmentation method:
Depending on the size, goal, and available funding for your organization, you can employ different methods of segmenting networks.
While one organization may choose to use Firewalls as a way to segment its network, another may employ the use of router subnets.
Other ways of segmenting a network include VLANS— a logical means of network segmentation, Software Defined Networking (SDN), often employed by organizations that require hybrid networks.
Physical means like Access Control Lists (ACL), or even getting a separate router for different communication needs, also work.
Conclusion
We have seen how effective network segmentation can simultaneously serve the purpose of security and management.
Worthy of note here is that the 3-tier approach in this article isn't a universal standard, but a good template to follow. What you choose to adopt depends on you as an organization, but the most important lesson from this is that having a segmented network serves as a form of layered defence for your cybersecurity posture, and every organization should segment its network.
