Level 1 of network segmentation: basic segmentation
Advantages
Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.
Disadvantages
The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.
In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.
Attack vector protection
Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements
Level 2 of network segmentation: adoption of basic security practices
Advantages
More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:
- mail relays;
- time servers;
- other services, if available.
Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools. In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment. It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.
Disadvantages
As a result, this leads to the following problems:
- increasing the cost of ownership and the cost of final services to customers;
- high complexity of maintenance.
Level 3 of network segmentation: high adoption of security practices
The company’s management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company’s operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees.
Advantages
Implementing security services such us:
- security operation center (SIEM, IRP, SOAR, SGRC);
- data leak prevention;
- phishing protection;
- sandbox;
- intrusion prevention system;
- vulnerability scanner;
- endpoint and ATP protection;
- web application firewall;
- backup server.
Disadvantages
High costs of information security tools and information security specialists.
Level 4 of network segmentation: advanced deployment of security practices at scale
Each production and corporate services has its own networks: Tier I, Tier II, Tier III.
The production environment is accessed from isolated computers. This type of segmentation is called an air gap, this is close to protecting state secrets. Each isolated computer does not have:
- incoming accesses from anywhere except from remote corporate laptops via VPN;
- outgoing access to the corporate network:
- no access to the mail service – the threat of spear phishing is not possible;
- there is no access to internal sites and services – it is impossible to download a trojan from a compromised corporate networks.
🔥Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.
Implement other possible security services, such as:
- privileged access management;
- internal phishing training server;
- compliance server (configuration assessment).
Advantages
Implementing security services such us:
- privileged access management;
- internal phishing training server;
- compliance server (configuration assessment);
- strong protection of your production environment from spear phishing.
🔥Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:
- separate workstations for access to the production network – yes, now you will have 2 computers on your desktop;
- other LDAP catalog or Domain controller for production network;
- firewall analyzer, network equipment analyzer;
- netflow analyzer.
Disadvantages
Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀