What is network segmentation? #

Network segmentation, in its simplest form, is the act or practice of dividing a computer network into smaller parts, subnetworks, or network segments. In recent years,it has evolved into a foundational enterprise control to improve network performance and security. However, without effective verification strategies like Cyber Asset Attack Surface Management (CAASM), network segmentation can be easily undermined by misconfigurations and multi-homed machines.

Let’s explore a practical comparison to network segmentation – a house with an open floor plan. This design ensures ease of movement and makes the space feel larger, but presents a challenge for achieving privacy and security. You likely don’t want everyone that enters your home to have unfettered access to all areas. Adding walls and changing the architecture of a home is much harder after it's been built; however, doors and locks can help add security controls while maintaining the original functionality. For example, if a contractor is scheduled to work on the garage, doors and locks add a level of segmentation that ensures access is only granted for the area where the work needs to be done. Lateral movement into the house is unlikely and garage repair alone does not merit access to other areas. Essentially, network segmentation is akin to a house with defined areas of access to make safe and secure spaces when needed.

A simple example of network segmentation
A simple example of network segmentation

What are the benefits of network segmentation? #

  • Better operational performance Segmentation reduces network traffic congestion.

  • Improved security:
    • Limit the damage done by cyber attacks: Segmentation improves cybersecurity postures by limiting how far an attack can spread by reducing lateral movement. For example, segmentation keeps a malware outbreak in one segment from spreading to systems in another.

    • Protect vulnerable devices: Segmentation can prevent harmful traffic from reaching devices that are unable to protect themselves. For example, on a factory floor that contains OT/ICS devices that were not designed with advanced security defenses, segmentation can stop harmful Internet traffic from reaching them.

  • Containing network problems: Segmentation minimizes the impact of local failures on other parts of the network. When localized problems arise, network segmentation helps to minimize production downtime and decrease corporate latency due to misconfigurations.

  • Controlling access: Access can be controlled by creating VLANs to segregate the network. For example, visitors can access a “guest network”, so they can access the Internet, but not the corporate network itself. Another example is separating networks during a corporate divestiture, so that employees only have access to the corporate network of their company and not the other.

  • Meet industry compliance standards Regulations are a driving factor in network segmentation. For example, businesses subject to Payment Card Industry Data Security Standard (PCI DSS) requirements must validate cardholder data environment (CDE) segmentation during the security audit process. The PCI guidance on scoping and segmentation describes a common CDE administration model.

How do you verify network segmentation is implemented correctly? #

Verifying that segmentation is working correctly can be challenging, especially across large and complex environments. Common techniques to validate segmentation, such as reviewing firewall rules and spot testing from individual systems can only go so far, and comprehensive testing, such as running full network scans from every segment to every segment, can be time intensive and are rarely performed on a regular basis.

Verifying safe network segmentation with CAASM #

Network bridge detection #

Network bridge detection is a useful tool when validating the effectiveness of network segmentation and testing whether an attacker can reach a sensitive network from an untrusted network or asset. Examples of this include laptops plugged into the internal corporate network that are also connected to a guest wireless segment, or systems connected to an untrusted network, such as a coffee shop’s wireless network that also have an active VPN connection to the corporate network.

The runZero Platform detects network bridges by looking for extra IP addresses in responses to common network probes (NetBIOS, SNMP, MDNS, UPnP, and others) and only reports bridges when there is at least one asset identified with multiple IP addresses. Typical hardening steps, such as desktop firewalls and disabled network services are limiting factors that will usually prevent multi-homed assets from being detected by runZero; however, the click-through demo below shows how to use network bridge detection to search for multi-homed assets in the runZero inventory.

Identifying Potentially Risky Network Bridges #

This runZero network bridge report is an interactive view of possible paths that can be taken through the network by traversing multi-homed assets. When detected, single IP addresses are omitted to keep the graph practical and actionable for defenders.

runZero enables you to click through asset and subnet details within the external (red) and internal (green) networks. Clicking a bridged node once will highlight the networks it is connected to and show a link which leads to the full asset details for that node. Alternatively, clicking a network once will highlight the connections to bridged nodes and show a link to the Asset Inventory page with a CIDR-based inventory search.

This report helps you see where segmentation may be broken, and can cut down on the number of surprises encountered in a future security audit.

The Asset Route Pathing Report #

The runZero Platform also enables you to visualize potential network paths between any two assets in an organization by creating the asset route pathing report. This unique methodology identifies surprising and unexpected paths between assets that may not be accounted for by existing security controls or reviews.

The report generates a graph of multiple potential paths by analyzing IPv4 and IPv6 traceroute data in combination with subnet analysis of detected multi-homed assets – without requiring access to the hosts or network equipment.

With a view of potential paths between assets, security professionals can verify whether a low-trust asset, such as a machine on a wireless guest network, can reach a high-value target, such as a database server within a cardholder data environment (CDE). Another example would be an OT asset (such as an engineering workstation) being able to access the IT network. This feature highlights potential network segmentation violations and opportunities for an attacker to move laterally from one segment to another.

Summary #

In summary, there are many benefits of network segmentation, and fact checking proper implementation can be a difficult, arduous task. runZero is here to help by reducing the burden of misconfigurations and/or improperly defined network boundaries, subnets and VLANS.

Not a runZero customer? Download a free trial today and achieve comprehensive asset inventory and attack surface visibility in minutes.

If you would like to read more about network segmentation and what runZero has found in the wild, check out Chapter 4 of the runZero Research Report that talks about the decay of segmentation.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved