The network separation is often an underestimated tool in IT security - but can significantly increase the security level with good and consistent implementation.
Networks are the basic prerequisite for connecting different participants with each other.
These infrastructures have often grown over a long period of time. protective measures like Firewall, Antivirus or regular updates are often implemented, but no longer meet today's security requirements.
Granular segmentation of the network and sealing off the segments of a firewall is intended to increase the security level, reduce attack surfaces, prevent and/or significantly slow down the spread of defective processes (cf. risk management: “risk reduction”). A detection of attacks should be possible through zoning and access via firewall systems should be limited to what is necessary.
Procedure: Document inventory of all affected locations, areas and business processes. In this way, the entire network infrastructure with all network participants is recorded cleanly.
The concept describes a possible technical approach to divide the network into different segments. Deep configurations are not described. Furthermore, an authorization concept (organizational structure of the company) must be available, based on which security zones can be derived.
Due to the combination of different technologies, the complexity is high.
The hardware and software used must be coordinated.
If there are no dependencies or incorrect documentation, on the basis of which firewall rules are created, for example, services may not be available to users. There is a risk of getting lost in micro-management.
With all systems used that are of central importance, it must be avoided that a SPOF (single point of failure) arises. It is recommended to additionally ensure the availability of these systems through a service contract with the manufacturer or service provider.
The implementation of a network separation takes place on all network layers. It is therefore necessary to consider the respective layers of the network infrastructure.
| # | ISO/OSI | TCP / IP | Minutes | System |
| 7 | Applications | Application | SNMP, SMTP, http, DNS, DHCP, LDAP, | Firewall, NAC |
| 6 | presentation | |||
| 5 | Meeting | |||
| 4 | Transportation | Transportation | TCP, UDP | |
| 3 | mediation/package | Internet | IP, ICMP | Router, L3 switch, firewall |
| 2 | Fuse | network access | ARP | Switch, NAC |
| 1 | bit transfer | Network cable, patch panel |
Network segmentation focuses on “north-south traffic” – that is, the incoming and outgoing traffic for the network.
Micro-segmentation introduces another layer of protection for “east-west traffic” – i.e. internal traffic such as client to server, server to server or application to server. Here the segments are reduced - a larger network is divided into smaller network segments.
In a practical analogy to a castle, the network segmentation would be the composite of walls, towers, and deep moats. The micro-segmentation represents the archers on the battlements or the sentries on the doors and gates to important areas. This solution prevents unwanted intrusion.
An authorization concept is not absolutely necessary, but it can be used to determine which accesses are required in order to be able to derive security zones for the network separation. The company organizational chart can serve as a basis for creating an authorization concept.
A security zone is a network area that is separated from other network areas. Traffic into and out of a zone is controlled by security mechanisms. Firewalls are also used in combination with IPS/IDS systems for this purpose. Depending on the protection requirements, communication within a zone can be restricted. This can be implemented by private VLANs. In addition to the authorization concept, zones can also be derived from an IP/VLAN concept.
Only known systems with a specific configuration and a specific status are managed in trusted zones. These systems are classified as trustworthy based on properties such as the version of the operating system, the patch level or whether current end-point protection is available.
Data exchange with the Internet is regulated via a DMZ zone. The DMZ zone has neither a direct connection to the Internet nor to the campus network. Email gateway, reverse proxy, WAF or other security gateway are typically housed in a DMZ.
Management zones only include systems or services that are used to provide and manage IT infrastructure. Since these systems are usually classified as highly sensitive, access to this zone must be strictly limited. Access from the access area is to be avoided.
| Objective | ||||||
| WAN | DMZ | Client | Server & Hosting | MGMT | ||
| Source | WAN | X | ||||
| DMZ | X | X | X | |||
| Client | X | |||||
| Server & Hosting | X | X | ||||
| MGMT | X | |||||
Structured cabling forms the basis for the operation of high-performance networks for the transmission of data and voice. Here, the requirements for several decades must be taken into account, as well as reserves and flexible expandability, regardless of the application used.
Structured building cabling
Network areas that should not be connected to each other can already be separated from each other during the cabling. Example of network areas with physical separation:
Note: The cable types and lengths must also be taken into account when selecting the GBIC modules (Gigabit Interface Converter) for connecting the switches and firewalls to one another.
The switches are divided into different classes and must be designed for their respective function. A separate IP address range and a separate VLAN must be selected for managing the switches. There are different architecture models - depending on the size of the network:
Switches that are not directly connected due to their function must be connected via a dedicated management port. In this case, the management interface has a different IP address than the internal switch. The switch can only be administered via the management interface.
The network is logically separated on layer 2 via VLANs. A switch is divided into several virtual switches with VLANs – also across switches. A 32-bit header is placed in front, which also transports the VLAN ID (12 bit). Packets are only transmitted on the switch ports to participants of a specific VLAN. Technically, VLANs form separate broadcast domains.
There are different types of VLANs:
With port-based VLANs, physical switches are divided into multiple logical switches. All switch ports assigned to a VLAN can communicate with each other.
| VLAN1 | VLAN 2 | VLAN 3 | |
| VLAN 1 | O | - | - |
| VLAN 2 | - | O | - |
| VLAN 3 | - | - | O |
With tagged VLANs, multiple VLANs can be used over a single switch port. Tags are attached to the individual Ethernet frames, in which the VLAN ID is noted to which VLAN the frame belongs.
Private VLANs restrict communication within a VLAN. A PVLAN contains switch ports that are restricted to only communicate with a specific uplink port or Link Aggregation Group (LAG). The uplink port or LAG is typically connected to a switch, router, or firewall.
Unlike VLAN separation, a PVLAN prevents communication between specific ports on the same VLAN.
Port types of PVLAN:
Isolated ports can only communicate with the promiscuous port. Promiscuous ports can communicate to all ports. Community ports(s) can communicate to the promiscuous and their own community ports.
| Isolated | promiscuous | communities (1) | communities (2) | |
| Isolated | - | O | - | - |
| promiscuous | O | O | O | O |
| communities (1) | - | O | O | - |
| communities (2) | - | O | - | O |
The network is divided into segments on layer 3 via the IP protocol. Here, systems are combined or divided according to function, location or other criteria. For example, the second octet can be distinguished by location and the third octet by function: 172.Location.Function.x.
Care must be taken to ensure that the range of hosts is sufficiently large to enable medium-term growth. A sensible addition of additional segments must also be taken into account. The IP address assignment can be static, dynamic or dynamic with reservation. When making a reservation, a network participant always receives the same IP address.
IP ranges are defined for different applications. A VLAN is defined for each use case. Networks that offer a high potential for damage are additionally secured by PVLANs by isolating the participants from each other.
| Name | host range | Mask | Gateway | Dynamic / static | VLAN ID |
| 172.16.xx | default (1) | ||||
| 172.16.0.1-172.16.3.254 | |||||
| Servers (AD) | 172.16.4.1-172.16.4.254 | 255.255.255.0 / 24 | 172.16.4.1 | static | 1004 |
| server (mail) | 172.16.5.1-172.16.5.254 | 255.255.255.0 / 24 | 172.16.5.1 | static | 105 |
| Server (DB) | 172.16.6.1-172.16.6.254 | 255.255.255.0 / 24 | 172.16.6.1 | static | 106 |
| 172.16.7.1-172.16.7.254 | |||||
| Data | 172.16.8.1-172.16.8.254 | 255.255.255.0 / 24 | 172.16.8.1 | static | 108 |
| 172.16.9.1-172.16.9.254 | |||||
| 172.16.10.1-172.16.10.254 | |||||
| 172.16.11.1-172.16.11.254 | |||||
| Client | 172.16.12.1-172.16.14.254 | 255.255.252.0 / 22 | 172.16.12.1 | dynamic | 1012 + 2012* (PVLAN) |
| Client | 172.16.15.1-172.16.15.254 | 255.255.252.0 / 22 | 172.16.12.1 | static | 1012 + 2012* (with PVLAN) |
| 172.16.16.1-172.16.19.254 | |||||
| printer laser | 172.16.20.1-172.16.20.254 | 255.255.255.0 / 24 | 172.16.20.1 | static | 1020 |
| printer labels | 172.16.21.1-172.16.21.254 | 255.255.255.0 / 24 | 172.16.21.1 | static | 1021 |
| 172.16.22.1-172.16.22.254 | |||||
| 172.16.23.1-172.16.23.254 | |||||
| Periphery | 172.16.24.1-172.16.27.254 | 255.255.252.0 / 22 | 172.16.24.1 | static | 1024 |
| 172.16.28.1-172.16.31.254 | |||||
| Telephony | 172.16.32.1-172.16.35.254 | 255.255.252.0 / 22 | 172.16.32.1 | dynamic | 1032 |
| 172.16.32.1-172.16.35.254 | |||||
| 172.16.36.1-172.16.39.254 | |||||
| Prod.Systems 1 | 172.16.40.1-172.16.43.254 | 255.255.252.0 / 22 | 172.16.40.1 | static | 1040 |
| Prod.Systems 2 | 172.16.44.1-172.16.47.254 | 255.255.252.0 / 22 | 172.16.44.1 | static | 1044 |
| Prod.Systems 3 | 172.16.48.1-172.16.51.254 | 255.255.252.0 / 22 | 172.16.48.1 | static | 1048 |
| Prod.Systems 4 | 172.16.52.1-172.16.55.254 | 255.255.252.0 / 22 | 172.16.52.1 | static | 1052 |
| IoT | 172.16.56.1-172.16.59.254 | 255.255.252.0 / 22 | 172.16.56.1 | static | 1059 |
| 172.16.60.1-172.16.63.254 | |||||
| third-party systems | 172.16.64.1-172.16.64.254 | 255.255.255.0 / 24 | 172.16.64.1 | static | 1064 + 2064* (with PVLAN) |
| EOL systems | 172.16.65.1-172.16.65.254 | 255.255.255.0 / 24 | static | 1065 + 2064* (with PVLN) | |
| Transition | 172.16.68.1-172.16.68.254 | 255.255.255.0 / 24 | 172.16.68.1 | dynamic | 1068 |
| 192.168.xx | |||||
| DMZ | 192.168.200.1-192.168.200.254 | 255.255.255.0 / 24 | 192.68.200.1 | static | 200 |
| transfer network 1 | 192.168.220.1-192.168.220.2 | 255.255.255.252 / 30 | - | static | 220 |
| transfer network 2 | 192.168.221.1-192.168.221.6 | 255.255.255.248 / 29 | - | static | 221 |
| MGMT | 192.168.230.1-192.168.230.254 | 255.255.255.0 / 24 | 192.68.230.1 | static | 230 |
*Private VLAN
A transfer network usually connects two, in some cases several, network participants with one another – eg ISP router and perimeter firewall. In a transfer network, the data traffic is only in transit and is not dealt with further.
A transfer network is usually a /30 network. The two hosts that are to be connected to one another fit exactly into a /30 network.
Network participants are accommodated in the transition network who are legitimate but do not or no longer meet certain requirements. These participants will be excluded from regular operations in whole or in part, temporarily or permanently.
For example:
EPP version is too old > Transition network
EPP version has been updated > Client network
An additional separation on layer 3 can be set up via virtual routers. Here, several virtual routers are operated on a physical routing device. Separate routing instances are operated on a device. Communication between the individual instances is not possible without explicit routing.
Firewalls protect one network zone from another. Only required and checked traffic is permitted via a set of rules. Security can also be increased in the set of rules using UTM profiles (Unified Threat Management) for application control, IPS or other mechanisms.
Recommendation: 2-level firewall concept
With a 2-stage firewall concept, the perimeter firewall separates the public from the internal network. The core firewall separates the internal networks from each other and establishes the connection to the perimeter firewall.
Ideally, both firewalls are from different manufacturers. This avoids that one known vulnerability is sufficient to overcome both firewalls. In addition, one Denial of Service Attack from the public network no direct impact on the internal systems.
Various manufacturers rely on an ASIC-based architecture that analyzes the content of data packets in real time and thus accelerates throughput.
The set of rules defines exactly which sender is allowed to set up connections and transmit data to which target address with which protocol. Traffic that is not allowed is blocked. Desirable: To ensure traceability, log all communication.
More than intrusion detection systems (IDS) and Intrusion Prevention Systems (IPS), security can be further increased. Such systems continuously monitor the network and detect or prevent security incidents. The related information is logged.
IPS (Intrusion Detection System) and IDS (Intrusion Prevention Systems) are often already integrated in UTM firewalls. Performance varies by manufacturer and firewall model. A dedicated solution is recommended depending on the data throughput of the architecture, and above all the need for protection.
A reverse proxy forwards requests from the Internet to an internal web server. As a result, the web server is only addressed via a defined intermediate level. Direct communication from the Internet to the web server is therefore not possible. The reverse proxy thus increases the security of web servers.
The reverse proxy can relieve the web server via its own cache. Access to multiple web servers are distributed - load balancing.
Another application layer protection mechanism is a WAF. Incoming and outgoing traffic is monitored, analyzed, filtered or blocked. For example, applications are protected against attacks such as SQL injection, cross-site scripting (XSS) or cookie poisoning.
WAF functionalities are often already integrated in UTM firewalls. Depending on the data throughput of the architecture and, above all, the need for protection, a dedicated solution is recommended.
A NAC implements port-based access control in the LAN and enforces individual security policies throughout the network via a set of rules. As a supplement to the usual security systems such as firewalls, virus protection or intrusion detection systems, the NAC is an important component in the segmentation of networks. A prerequisite for the introduction of a NAC system are managed switches.
By using an NAC, VLANs can be used not only statically but also dynamically. This significantly increases flexibility and reduces the configuration effort.
Task:
During planning, it must be defined which ports are to be actively managed by the NAC. Ports of core, data, server or DMZ switches are preferably configured statically, as are uplink ports or LAGs (link aggregation)
Groups are defined in the NAC system – eg analogous to the IP & VLAN concept. Based on membership in a specific group, the corresponding port on the switch is moved to the desired VLAN via a set of rules in the event of a defined event (e.g. link up). At link down an action can also be triggered.
Unknown participants can be rejected. As an action, the port can be deactivated for a certain period of time. Alternatively, unknown participants can also be assigned to an isolated network area with a private VLAN.
Various NAC systems are able to check whether end devices meet a certain security standard during authentication. Criteria can be, for example, the patch level of the OS or how up-to-date the EPP is.
Devices that do not meet these requirements can be isolated until all necessary conditions are met. Only then is access to the regular network area granted.
If possible, network access control should also be implemented on vSwitches.
The network participants are clearly identified via the MAC address. Ideally, the MAC addresses are known in advance for new network participants and are entered and assigned in the NAC system. The corresponding VLAN is switched on the access port based on the MAC address. Because MAC addresses can be spoofed, this approach offers only basic protection.
The certificate-based network access control IEEE 802.1x can be used to further increase the security level. A certificate is stored here on the client, which it uses to log on.
The effort for a successful IEEE 802.1X implementation should not be underestimated. It should also be noted that the certificates must be replaced before the expiry date.
Various properties of a terminal device are recorded with a fingerprint. The fingerprint generated in this way is used to clearly identify (also in combination with the MAC address) the end device.
Secure identification can even be achieved for end devices that do not have IEEE 802.1x support, such as printers, webcams or VoIP telephones.
Each internal network participant is integrated into the network via its own switch port.
External network participants must be connected using a secure method. The most common VPN technology for this is IPSec (Internet Protocol Security).
A good alternative to IPSec is the free software WireGuard. The first version of WireGuard was released on Linux. WireGuard is now available for various operating systems and as an app for Android and iOS.
Requirements:
