Protect your business by dividing your network into isolated segments, each controlled by its own firewall rules. Contain breaches, segregate high-risk areas, and maximise the security of your private network.
Network segmentation is the physical division of a network into separate parts. A network segment can contain just one machine or many machines. Each network segment can have its own hub or switch. In most cases a contiguous range of IP addresses will be assigned to each segment. Using a FireRack firewall, each segment can be protected from the other segments using its own set of firewall rules. Any data moving between segments must pass through the firewall.
If an attacker successfully compromises a single machine in a network segment, every machine in that segment is at risk. A single compromised machine which shares a hub with other machines can packet-sniff data going to the other machines. This data could contain logins, passwords or other sensitive information.
Although the use of a switch instead of a hub can minimise the impact of packet sniffing, switch security can also be circumvented. A compromised machine connected to a typical switch is able to send broadcast packets to all other machines connected to that switch. When all is said and done, switches are primarily designed to improve network performance, not to act as a firewall on a LAN.
Typically the attacker will have compromised a machine in the DMZ (DeMilitarised Zone) segment. By segmenting your network, you can contain that security breach to just the DMZ. Any attacker who has compromised a machine in the DMZ has still got to traverse the firewall to attack any additional segments, such as the private segment. A well-configured firewall will not allow machines in the DMZ to connect to arbitrary machines or ports in the private segment.
Our overriding objectives in segmenting the network are:
In most organisations, we do not wish to offer up data such as staff pay, personal staff data, internal reports and detailed accounts on our publicly accessible web site. If your web site and your confidential data reside in the same network segment, this just might happen. For this reason we pay special attention to the "Private" segment of the network. It is the network segment which should have zero exposure to the Internet.
The way administrators segment their networks will vary widely depending on the way their company operates and interacts with the Internet. Whatever model of business you operate, you must always plan for the worst possible case.
The main use this small business makes of the Internet is to access information on the World Wide Web. This company also hosts its web site on its own web server and runs its own mail server.
In addition to the needs of a Small Business, a Web Hosting Company has servers accessible for authoring and email retrieval from arbitrary external IP addresses. Web servers may allow authors to install their own CGI scripts, and email is retrieved using plain-text passwords that could be intercepted.
The most hostile environment of all. Customers do not know or trust one another, and the colocation company does not administer the servers. Each customer is responsible for securing their own server. The solution is to place each colocated machine in its own network segment using a MultiPort firewall such as the FireRack MultiPort, supporting up to 4096 separate segments.
Schools and Colleges have multiple networks supporting different classes of workstation. A FireRack firewall allows a single Internet connection to be safely shared across segments, with each segment protected by its own Virtual Firewall. Control of different segments can be delegated to different departments.
The transparency feature of the FireRack Firewall allows you to segment your network without segmenting your address space. This saves IP addresses, as multiple gateway, broadcast and network addresses will no longer be necessary.
The firewall is transparent to other machines on the network. No computers need to be reconfigured to use the firewall, and no address-space segmentation is necessary.
Contact us to discuss how network segmentation can improve the security of your infrastructure.