Categories Topics
Description
Network Segregation

Overview
Network segregation is the process to separate larger networks into smaller networks (also called "domains" or "security zones") based on data classification, sensitivity and/or key business functionality and value to the organization. The objective is to reduce the impact of a disruption of service to the organization and to control the data flow to and from those networks in order to protect information resources.

Guidelines
Critical networks should be segregated and controlled based on data classification or critical business services.  Segregation can be achieved by separating systems, applications, and networks into groups of services also referred to as security zones (or "domains").  Domains can include, for example: Development, Internal/Production, Customer/Internet-facing, Perimeter/DMZ or User zones. 

Each domain should be separated by security controls to include, but not limited to: firewalls, routers, IDS/monitoring, access control or other mechanisms to restrict access  (and contain potential system or data breaches).  Data traffic should be controlled to and from the domains via IP routing and/or firewalls.  The highest level of security controls and investment, to include monitoring and access controls, should be implemented for systems and networks that host sensitive (e.g. confidential or secret) information.

Network segmentation can be implemented in phases by first starting with separating non-production from production domains using firewalls, IDS and other monitoring mechanisms.  For example, by monitoring data flows from non-production to production networks, the organization can begin to isolate what applications or systems are connecting to the more sensitive systems and data in production.  In order to separate development from production environments, non-production systems (such as Development or QA) should be implemented on separate systems, networks and supporting infrastructure (such as power, racks, etc.) from production systems.  The organization can then work with application owners to limit development dependencies on production and then implement firewall rules to limit data flow and increase security.

In addition, the organization can monitor for insecure data flows to/from the networks to shut down insecure protocols (e.g. telnet, RSH, etc.) and work with application owners to move to more secure protocols (e.g. SSH).

The most careful attention and focus should be in monitoring and restricting data flow to the most sensitive assets and systems.  For example, your internet/customer systems and HR production systems would require more strict controls to monitor and restrict access to minimum required and no more.  Monitoring rules in place using security monitoring (see "SIEM" topic) can also assist with prioritizing those security events that need immediate attention.


Topic Category
Network Security
Network Security
 
News Articles
Backoff: New Point of Sale Malwarewww.us-cert.gov7/31/2014
S. Korea banks to segment network, establish data backupwww.zdnet.com7/11/2013
White Papers
DISA Network Management White Paperiase.disa.mil3/24/2010
DISA VLAN Provisioning for Logical Separationiase.disa.mil3/24/2010