In the field we see network after network that is flat with no segmentation at all. Why is this a concern as it relates to information security? First and foremost, what is network segmentation? Let's start with a picture of a flat network: As you can see above, every device is on the same ethernet segment. This means there is no network filtering between devices. Now, let's see what a segmented network looks like: The picture above shows that each ethernet segment is filtered by the router / firewall. Let's take a look at each segment in a little more detail. Ethernet Segment - DMZ The demilitarized zone! Everything in this segment is considered high risk. Why? Due to the fact that devices here will have communications initiated from the internet, any device in this segment should be hardened and prevented from initiating communications to any other segment. If your web server has a vulnerability that is exploited over TCP port 80, and you are permitting TCP port 80 through your router / firewall -> you have a problem. By segmenting your network, you limit that problem to the two devices on that segment rather than all devices in your network. Ethernet Segment - Wireless How far does your wireless access-point reach? Can you get a signal from outside? Since you are suppressing the SSID, no one can see your wireless network; that makes it secure (pssst!! That's not really true). We have major hurdles to overcome in securing our wireless networks, so given this fact, we need to put in multiple layers of security. One of these hurdles is the fact that we can't control (with any degree of [...]The post Network Segmentation and Security appeared first on Sentryworx.
