News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Critical Controls
  4. Network separation and segmentation

Network separation and segmentation

When paired together, segmentation and separation can add an additional level of access control and security to your network, systems, and data.

Summary

Your organisation’s network can be physically and virtually sliced-and-diced into separate bits to add more granular levels of security controls. 

  • Segmentation is about breaking down your organisation’s network into smaller networks. 
  • Separation means using different types of access controls to allow connections across those smaller networks.

Without network segmentation and separation, an attacker could move to other devices on your network without being stopped by access controls or security policies. 

Alternatively, an accidental malicious download by a user could result in a widespread network incident. 

This control describes the steps you can follow to design and build a segmented and secure network.

Understand the devices on your network

Before you can start breaking your network down into smaller networks, you need to understand what devices you currently have on it. This means understanding the following things.

What devices are connected 

This could involve doing a network scan to identify everything that’s currently plugged in and in use. You can also cross-reference this list with an asset register if there’s any devices that are currently disconnected.

Who uses those devices 

Knowing who uses the devices is important when setting up your access controls. Be sure to differentiate who currently has access, and who needs access as part of their job. This could provide you with an opportunity to cut back access to follow the principle of least privilege.

What data they can access

The sensitivity of the data these devices have access to will inform how you segment your network. For example, any credit card holder data must be separated from all other data because it carries a high security risk. You should separate any devices that have access to data you consider sensitive, such as personal, financial, classified, or intellectual property data.

What other devices they need to communicate with

Your devices may need to send or receive data from other parts of the network. Understanding which ports and protocols each device connects on will also drive your access control configurations. If you’re unsure, perform a packet capture and analyse the network traffic using a tool like Wireshark.

Configure your networks

Once you understand what devices are used, who uses them, and what data they have, you can start configuring your segmented networks. Your organisation’s network design will be unique. Here are a few things to keep in mind when configuring yours.

Create separate networks for each group of devices that hold sensitive data 

For example, you’ll have a separate network for credit card holder data, another separate network for your finance team, and a separate network for all other business functions.

Control access in between your segmented networks using gateways 

These gateways may have different features that allow you to inspect and filter the traffic. You could use a gateway – like a web application firewall – in front of the network with your web servers to filter out malicious traffic. A gateway with access control capabilities is important for controlling access into your sensitive networks so you can enforce things like multi-factor authentication.

Use a demilitarised zone (DMZ) in between the internet and your networks

Some services – such as web or mail servers – will need to allow inbound connections from untrusted networks like the internet. These services can be kept in a DMZ, a semi-trusted network that your organisation controls. You can then use gateways to control and filter the traffic as it passes between your sensitive networks, the DMZ, and the internet.

Separate your management and data interfaces 

Management and data interfaces should be separated either virtually or physically. Management interfaces are often used for carrying out privileged and administrative functions. You might consider having them only accessible from a separated, sensitive network that can only be accessed by the appropriate administrators.

Use security features that can’t be spoofed or bypassed 

If you’re depending on security features to limit authorised access to sensitive networks, make sure the features are configured so they can’t be spoofed or bypassed. For example, VLAN hopping is a common attack where an attacker can move from one VLAN to another by attacking a misconfigured switch directly. If there are inherent weaknesses in the network devices you’re using, make sure there are other security controls you can put in place to limit the risk of unauthorised access.

Create a network for any legacy systems

Network segregation can be a great way to control and lock-down access to any legacy systems you might be running. You could use a gateway that scans for specific vulnerabilities the legacy system may be exposed to and prevent that system from being compromised.

Asset lifecycle management

Configure access controls to separate your networks

Each gateway should only allow the ports and protocols that are required by the devices in the networks they connect to. All other ports and protocols should be closed and denied. This means operating based on an allowed list instead of a block list. Access controls to sensitive networks should take it a step further and use user-based access policies and multi-factor authentication.

Application control

Harden all network devices

Regardless of how your network is designed, all its network devices need to be hardened and maintained. These network devices have a big role to play in keeping your network secure, so they need to be protected. They should be secured and maintained the same way you’d maintain other assets and systems in your network.

  • Before a device is installed onto the network, it should be patched and have any default or generic accounts disabled.
  • All devices on the network should be patched regularly and replaced when they’re no longer supported by the vendor.
  • Access to these devices should be restricted to only the people who need to maintain the device – and they should be physically protected.
  • All device ports and services that are not going to be used should be disabled.

As well as applying controls between networks, each device should run a local host-based firewall, to ensure attackers are limited within the network segment as well. The default rule for a network device should be to deny traffic so that a connection is only permitted if a specific allow rule is set for it.

A regular review of these network devices will allow you to catch issues like misconfigurations. Network devices should be reviewed at least once a year to make sure they’re still hardened, and that all their configured network rules are still necessary.

Patching 

Managing default credentials

Principle of least privilege

Consider remote, physical, and wireless access points

Your organisation likely has a wireless network in the office that you use for both staff and guests. If they don’t use wireless, they’ll need a physical port to connect to via ethernet. You need to understand what each user’s requirements are and determine which networks they can connect to.

Guests should only need access to the internet, so they could be put on a small network by themselves that’s separate from all your other devices. This small network will just need an outbound connection to the internet. 

Staff access can be a bit more complex as they might need the same access to various devices and networks in the same way their ethernet-connected docking station or desktop is set up. Wireless access points shouldn’t be set up directly on networks that hold sensitive data. Instead, staff should be placed in a network that has access to basic services (such as the intranet), and they’d have to go through different access controls to get to that network.

If you’re using physical ports, make sure they’re not in open, public places. Port-based authentication can help prevent unauthorised people from just plugging in and gaining access, and physical security adds an additional layer of protection. This also helps manage the risk in case the port-based authentication settings are misconfigured, or the protocol becomes vulnerable.

Regardless of the type of network connection used, users should be required to authenticate before gaining access to the organisation's network. 

  • For authenticating to the segmented guest wireless network, you could use Wi-Fi Protected Access 2 (WPA2) Personal and a strong passphrase. 
  • For physical port-based authentication or the staff wireless network, you should use something that can’t be shared, like WPA2 Enterprise with 802.1x authentication or WPA3 Enterprise 192 bit mode.

If you provide a remote access tool to your staff – like a virtual private network (VPN) – you’ll need to consider which network it drops the user into. You’ll have to add additional layers of security to it, like multi-factor authentication, since the user will be coming from the internet. 

With physical or wireless access, attackers need to be physically close to your organisation’s network. But with remote access, anyone can try knocking on the door to your network to try and get in.

Multi-factor authentication and verification

Configure logging

Logs from network devices should be configured and sent to a central place for analysis. The type of events that are captured will depend on the network devices used. Some devices can analyse traffic and produce detailed reports on security events, like vulnerability exploit attempts. However, most devices should be able to provide information on basic security events, like failed logins.

If possible, the following security events should be captured:

  • changes to network device configurations, policies, or rules,
  • changes to users who have access to the network devices,
  • failed multi-factor authentication attempts,
  • suspicious or multiple failed logins to network devices, or to segmented networks, and
  • suspicious traffic, either blocked or allowed.

How to measure success

The goals of this control are to ensure:

  • all sensitive devices are separated from other devices, and kept in segmented networks,
  • all sensitive networks are separated from untrusted or low-trust networks,
  • all network devices deny traffic by default,
  • all networks have rules to only allow ports and protocols to operate if they’re required for the devices in that network,
  • all network devices are hardened and maintained,
  • all user access to the organisation’s network requires authentication, and
  • logs are recorded and stored in a central location to capture:
    • security and authentication configuration changes in the network devices or their rules, and
    • suspicious network traffic or authentication attempts.

Key takeaways

  • It can take a lot of time to redesign and segment your current network. Start small with high-risk areas, like devices that have sensitive data or devices that control critical administrative functions. This will help reduce the impact of a successful attack on your network.
  • Network segmentation relies on implementing other critical controls too, like the principle of least privilege and disabling unused ports and services. These other controls should be considered alongside this one when you’re looking to design a segmented and separated network.
  • Network separation only works if network traffic is blocked by default and only allowed to pass if it’s explicitly allowed. This means you should only add network rules and open ports for connections that are necessary.