Years ago I sat in my first network security class learning all about the OSI model, the operation of TCP/IP, port and protocols, and many other interesting topics. One of the main take-aways was to always segment your network for increased security. Almost 20 years later I am still surprised to find that most organizations continue to fail at this basic piece of advice. Of course the bad guys love flat networks for lateral movement purposes. They simply need to compromise one user workstation to gain direct network access to every other device in the enterprise.
I understand why security practices like network segmentation get pushed to the sideline. To implement something like this adds a lot of hidden overhead, complexity, and frustrations to day-to-day management of the environment. All too often tight deadlines or other stresses lead to engineers just saying “f$%&! it” and removing segmentation just to get that new application working. Techies and leadership make plans to return and fix the security problem at a later date but all too often other priorities arise and these plans quietly fade into the ether.
But like most complex efforts, taking small steps towards that ultimate goal can make the transition and continued adherence easier. As a basic start try segmenting workstations and servers. Develop access control exceptions that limit communication between these segments to only the services the servers offer. Want to go a little further? Within the workstation segment implement controls to prevent workstation-to-workstation communication since these connections are rarely used in today’s client-server focused environments. Like before there may be some exceptions that need to be added. Servers could additionally be segmented in the same way but probably grouping by organizational purpose (e.g., finance) may add some efficiencies.
Today’s post pic is from Wikipedia.org See ya!