Network Segmentation

I was recently asked to look at a network and offer suggestions to enhance the security and overall resilience due to the results of an internal penetration test. After a discussion about the findings in the test it was noted that the current network sat in a completely flat state with little to no segmentation between the varying systems in use.

I use the word segmentation a lot, enough that it has become a sort of catch phrase thrown around the Precursor offices. It is unfortunately something that I see over and over whenever I look at networks and it isn’t limited to smaller or newer businesses, even businesses running 1000+ workstations are doing so with single broadcast domain, minimal or poorly configured VLANs.

I do really like saying it though…. Segmentation

Why Segment?

As IP became the standard method for addressing and other protocols fell from memory networks began to really take a foothold in modern business. As the standardisation of protocols and devices allowed developers to focus on a single platform more and more systems and resources became available and networks began to grow from a small cluster of machines within a business to an entity the entire business both operated and relied on.

VLANs came about because as these networks grew, they would hit a point where the traffic would begin to put too much of a load on the networking equipment and performance would suffer or even drop out completely. This is down to an overload in the switch handling the packet transfers, you see networks are very basic in the way packets (bursts of data) are sent between devices. To send a packet from one machine to another it would require that every single device or hop in the chain had a specific entry in a table showing where that packet should go so it goes down the correct cable. This would be almost unmanageable on an average network, imagine every device needing a route entry to every single other device. So instead packets are transmitted to all devices and the machines it was not intended for simply discard the packet.

Therefore “packet sniffing” is possible, a packet sniffer simply collects and analyses all packets it receives not just the packets intended for its own address.

The negative of this simple system is that with every machine receiving every packet once the network hits a certain size there is just too much packet flow for the switching infrastructure to handle. This can cause slowdown and even patches of complete packet loss if the forwarding engine in a switch is forced to restart its processes.

VLANs addressed this by allowing a physical switch (or ports across several switches) to be segmented (best word ever) from each other, thus reducing the broadcast size to just the machines in the relevant target VLAN. If the packet is bound for another VLAN then it must hit a device that can route the packet in the correct direction which sends the connection down a single cable. This limits the broadcasting of packets to smaller sections as the packet makes its way to its destination which reduces the amount of processing being performed on a per device basis. The packets are stamped with a “Tag” (usually just a number) to identify the VLAN so for example VLAN 10 for servers and VLAN 20 for workstations etc.

null

Segmentation for Security

Even with a network running several VLANs or routed segments you still are vulnerable to the simple fact that from a working network point you can pretty much get to every other machine on the network.

So, let’s look at how we can start to add some security to our network segments.

The DMZ

Most networks have now adopted the concept of a DMZ for machines that are naturally at a higher risk of being compromised due to their role within the business. The basic concept of a DMZ segment is that you take any machines that accept external connections such as web servers, email relays or devices that host any system designed to be accessed from remote locations and you put those machines in a separate network usually separated by firewalling. By limiting (or preferably completely blocking) their access to the main network you reduce the risk of one them becoming compromised and being used as a jump box to gain access to your internal resources.

If a machine in the DMZ requires access into the main network for some reason such as authentication calls or database queries, then the firewall rule should only allow that specific connection between source and destination and only on the ports it requires. Even minimising the connection down to the essentials can still leave considerable risk when the connection is something that can exploited with purpose so whenever possible you should obfuscate the connection by using none standard ports, encryption and even jump boxes as relays.

VLAN Security

If we look at the contents of a modern network, we can base our segments in intelligence and use the separation to group machines of a type together allowing for better management and administration. This same line of thinking can be applied to creating a more secure networking environment. Servers can be grouped into a Server VLAN as can differing types of user such as technical staff, sales staff, staff Wi-Fi. Guest Wi-Fi. Each segment requiring different levels of access to different resources.

We then need to look at controlling the access between these logical segments. Most modern switches have some sort of ACL (Access Control List) functionality which we can use to block packets from specific ranges or hosts based on the intended destination. This is a clumsy method though as with several switches in use you would be maintaining a range of separate lists, even with a centralised management tool it would be problematic as the lists grew.

Trunking

I prefer to utilise a firewall to control the traffic between different network segments. With a single rule base and with advanced scanning options it provides a single point of management and a lot more control options. With an advanced firewall you can usually add things like IPS scans and AV scans to specific connections for added security but be aware of processing and bandwidth concerns on older firewall models.

To control our network segments with a firewall we need to ensure the firewall is the device handling the routing between each VLAN. The best way to achieve this is using a VLAN Trunk between the firewall and core switch and it is very simple to configure.

First you need a central switch that has a port in all VLANS or a route in its routing table to point to any other networks or subnets. Be sure to have a route to any subnet not directly accessed by this core switch even if they only need outbound access as the return routes need to be in place for their outbound connection to work.

You then configure one port on the switch to be a member of all available VLANS, sometimes there is an option to configure a port as a Trunk port which achieves the same thing. This means this port will now get all packets from all VLANs.

You run the cable from this port to the port on the firewall and configure your firewall interface to be a VLAN interface (you’ll probably need to google this bit for your vendor) and give it the VLAN tag numbers you have assigned when you created your VLANS. Now this means you will need to give the interface on the firewall several IP addresses, one from each VLAN it is now a member of. I like to always use x.x.x.1 for this so I always know on any segment that .1 is the gateway (firewall).

On your devices you now need to configure the gateway address to be the firewall IP address used for that segment. So, following my scheme if I have a server on 192.168.10.50 then its gateway would be 192.168.10.1 and when it needs to connect to an address outside of its own range (segment) then the packet is sent to the firewall to be processed.

This means we can now use the rules on the firewall to control what passes between our segments and we can begin to really control how traffic travels round the network allow controls such as:

  • Limit management access to key personnel
  • Control access to privileged information
  • Separate machines with critical data or Customer Data
  • Reduce the attack vectors made possible from a compromised machine
  • Control guest or visitor access to the network
  • Allow for “dirty zones” for testing or development
  • Controlling data flow allows for easier troubleshooting and optimisation

We can even take this further and using a modern firewall with Single-Sign-On features we can base our firewall rules on users and groups means unauthenticated devices will not even be able to route between segments and when authenticated, only to segments made available to that user or group. This means a malicious user is extremely limited in options being restricted to only the local segment where they gained access to the network. Remember the more annoyances we can place in front of a hacker gives more time for the breach to be discovered and averted.

....Segmentation