04/09/2019

Network segmentation – and suddenly pigeonholing is valuable!

In times of full digitalization, large companies have long recognized the importance of IT security components and implemented them in their corporate networks. These are:
– an intact and stable firewall
– State-of-the-art anti-virus software
– Regular security updates of the programs running during operation (operating system, office programs, specific software)
– Regular IT security training for employees to sensitize them to specific issues

This makes it all the more unpleasant if a virus nevertheless spreads unhindered in the system or a hacker attack puts the light of the company out.

This means that business areas are placed in different drawers (divided into segments) in which they can work unhindered – but it is not possible to look into another drawer. The meaning behind it: If one drawer is “broken open and robbed”, the others remain untouched! An example: In a production hall, several computers run with specific software for manufacturing products. There is no need for these computers to be connected to the Internet or for someone from the human resources department to have access to this production software via the network. So if a virus in the human resources department paralyzes the system, the computers in production are not affected because they are not in the same drawer as the human resources department.

The isolation of insecure components
Especially in grown structures there are legacy systems, which represent a security risk because up-to-date protection (virus software, security updates etc.) is no longer possible. This refers, for example, to computers running 15-year-old software specially programmed for the company. The software has not received any updates for a long time and cannot be transferred to a newer device. Nevertheless, it fulfils its task, an exchange would be cost-intensive. So this computer is separated from the other network components in the best possible way, so that any virus infection in the corporate network cannot even reach this device.

How do you approach this?

The first step is to create a catalog that identifies all the components in a network (administration, production, logistics, etc.). That sounds simple, but very often no complete lists are available – or, to stay in our pictorial description – you don’t even know how many drawers the cabinet should have.
Subsequently, a rough segmentation is carried out – e.g. the administrative network is separated from the production network. Of course, there are systems that are at home in both worlds (drawer jumpers, so to speak) – they must then be given special attention.
By means of a fine-granular segmentation, the production itself can now be subdivided once again (possibly by location, by machine or by type of production), so that in the end many drawers with clearly defined company areas result in a solid cabinet.
Last, but not least, a log is created that documents the individual drawers and their contents exactly and also shows who has the respective rights for which area.

In summary, the steps for segmentation are as follows:
– Separation of company areas that have little or nothing to do with each other.
– Control over the entire network
– Monitoring across zone boundaries (balance of security and production requirements)
– Compliance with standards and norms in all segments and at all times (whitepapers, IEC certificates)
– Scheduling and specially securing necessary remote accesses from software vendors
– Training of the employees for a better understanding of network segmentation

Bottom line

In the context of global networking, pigeonholing may sound dusty and perhaps even obstructive. For the company’s IT security, however, it is a strategy that, in addition to the firewall, anti-virus software, regular security updates and security training for employees, provides excellent services as the company’s fifth IT security pillar!

Limes Security supports you in your project to implement network segmentation in your company: from the assessment of components to fine-grained segmentation. Contact us today without obligation for an initial meeting.