Proper segregation of a network is one simple line of defense against malicious threats that is very effective. Even the latest security systems won’t always protect your network if it’s not properly set up and segregated into different role based sections. These different sections or VLANS are what help keep your network safe. When carved-out properly an attacker will have to traverse several roadblocks along the way. The key to a properly segregated network is multiple areas with different permissions and roles for each area. This will prevent an attacker who infiltrates the network in one area from obtaining information from another area.
For example, an attacker may attack the endpoint of a user’s workstation. But, if that workstation does not have direct access to areas with non-public information is stored the attack is significantly less effective and much easier to remediate. In a non-segregated network an attacker could break in via a malicious email to any employee then have complete unrestricted access to the network and all the information contained within adjoining systems. This would be disastrous to most organizations, as it was for Target back in 2014, with their non-segregated network a malicious actor was able to enter through HVAC systems, access systems containing credit card information, and begin exfiltration of the data for sale. A properly hardened and segregated network may have prevented this breach all together.
So, what exactly is a segregated network? Ideally there should be role-based VLANs in a network; meaning small networks for teams like sales, Human Resources and IT should all have their own VLAN with their own credentials, and least-privileged access within each area. This will moderate damage if an attacker gets in, they may be able to move around the segregated VLAN through different machines but they will not be able to navigate outside the quarantined area where sensitive information may reside. Often navigating from one VLAN to another (VLAN happing) requires traversing a switch, router, firewall or another network device which can be monitored easily with SIEM solutions. This additional layer combined with monitoring can create the necessary layers to prevent or identify an attack.
Segregation is as simple as identifying system roles on your network and placing similar business solutions in the same area with a least privileged access model. This means that these systems are only allowed to access the parts of the network or systems that are necessary to perform their business use cases. For example, if your business deals with credit card information it would be best if only a limited number of systems access this information. An unsegregated network has one wall with a goldmine on the other side. In contrast, a segregated network is like a well-designed medieval keep with multiple walls and slamming doors in the halls. Which one sounds better?