IT security through network segmentation

Being on the safe side on the Internet

But how should an SME actually go about securing these digital assets? In our new series “Ecovis Tech Tips”, we introduce different concepts and solutions to help you step up your cybersecurity efforts and protect your company’s crown jewels. Our recommendations are vendor-neutral and aimed at providing you with simple solutions that are easy and cost-efficient to implement.

The topic we want to focus on today is network segmentation and network isolation. In short, network segmentation is the subdivision of networks that splits different departments and/or sections of corporate networks into a number of subnets.

This way, users only get access to their respective subnet, limiting their ability to access files or computers in other subnets. Should an attacker be able to find a way into the network, the same logic applies, the intruder will be “caught” inside the respective subnet. This way, compromising a whole corporate network becomes much harder.

Physical segmentation vs. logical segmentation

One important distinction we have to make is the difference between physical segmentation and logical segmentation. Physical segmentation is done by creating a network that is physically separated from other networks, such as other local networks or the Internet. This concept can be extended to create a fully isolated physical network, with no wires connecting it to any other network. This is what we call network isolation.

Logical segmentation, on the other hand, is the creation of Virtual Local Area Networks (VLANs) that segment one physical network into several virtual or logical networks. Logical segmentation can even be done within one single piece of hardware, that runs an entire network in a virtual environment, containing virtual routers, switches, servers, and clients.

As you can use existing hardware, this type of segmentation is generally more cost-effective than building an entirely separate physical network. When it comes to security, however, logical segmentation is weaker than physical segmentation, as the underlining hardware for multiple networks remains the same.

Which segmentation to choose is (almost) all about the money

This hardware is often enough connected to the Internet, making it possible for attackers to exploit vulnerabilities in the hardware or the firmware installed on the devices to break the segmentation and access the various logical networks installed on them.

Isolated physical networks are better prepared against such threats since no wires connect the network to the Internet. Ideally, isolated physical networks are not WIFI-enabled, to ensure they cannot be accessed from a close range via the WIFI signal.

That, however, comes with a price tag. A physically isolated network is much more expensive to build as you have to purchase all the equipment and cabling separately. Furthermore, this network requires its own security systems (such as a firewall, an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS)). This adds further costs for this setup.

So, put simply, more security means more costs.

Nothing is 100% secure – but you can make sure that damages are limited

Despite all these strong security features, however, physically separated networks are still not immune against all forms of attack.

Stuxnet, arguably the most famous malware to date, is a perfect example of the vulnerability of physically separated networks. Stuxnet was used to destroy centrifuges in an Iranian nuclear enrichment facility by overclocking them. Although the centrifuges were only connected to an internally isolated network, it was still possible for an intruder to use a USB stick to insert malware into the network, which when altered the software of the industrial control system that operated the centrifuges.

Hence, to make physically segmented networks secure, a strong protection against insider threats is necessary.

Upcoming trends in IT security

The importance of network segmentation is said to rise significantly due to the rapid development of the „Internet of Things“ and „Industry 4.0.“ Both concepts aim at making machines and everyday objects „smart“ by putting small computers in them and interconnecting these computers. While these trends do offer significant potential for increasing industrial efficiency and making life easier for people, they also increase the risk of cybersecurity incidents and data breaches. Standardization of IoT is still an ongoing process and many devices receive few security updates, if they receive any at all.

Hence, it is especially important to separate IoT devices from other systems on the network to ensure that a malware attack on one IoT device does not compromise your entire company‘s IT.

No matter what network segmentation or isolation setup you implement, it will be a powerful tool to limit the chances that core components of your business (e.g. production machinery) will be brought to a hold through malware. This way, we reduce the risk of intellectual property theft, as access to network resources will only be given out to employees and contractors on a need-to-know basis. Should an intruder get in, there is only so much havoc he/she can wreak.

After talking about all these risks, let´s finish on an optimistic note. We are fully aware that securing your corporate IT requires a clear insight into your situation and requirements.

This is why we at Ecovis Beijing are more than happy to assist you in finding the right network structure for your business, especially if you are dealing with the challenges of making communications work between Europe and China.