The network is almost always segmented into different subnets, and the reasons behind the design are many and varied. In this video, you’ll learn about network segmentation strategies, segmenting SCADA networks, building honeynets, and segmenting your test lab.
<< Previous: Documenting the NetworkNext: Patches and Updates >>
One of the challenges of the network professional is to create and design a network that works specifically for your organization. In this video, we’ll look at many of the different reasons you might segment your network. There’s different ways to segment your network. You might use a physical segmentation where you’re taking different switches, and routers, and other network infrastructure to physically separate where different devices are connecting. Or you might be using VLANs which allow you to virtually segment different connections inside of the same switch.
One of the reasons for these segmentations may be based around performance. You might have an application that moves a lot of information over a short period of time and by segmenting this off onto its own switch, or its own router, you may be improving the overall performance of the application.
You can also think about segmentation being used for security purposes. You might have a configuration where users shouldn’t talk directly to database servers, so to restrict that access you may put database servers on their own segmented part of the network. And this way you might have applications in the core of your network that are communicating via the SQL protocols, they might be configured to allow SSH access, but no other communications can go between those servers and the rest of your network.
Some of your network segmentation may be determined by a third-party. For instance, you may have the requirement of PCI DSS which is a credit card security requirement. And it requires that your network be designed in certain ways to protect the credit card information that’s going from one device to another. In many ways, segmenting the network in this way may make change control and auditing so much easier because you can easily look at a device and say that that device is completely segmented from any other part of the network.
In an earlier video, we talked about SCADA networks. Those are the Supervisory Control and Data Acquisition system networks. You may also refer to these as Industrial Control Systems because they are managing and controlling these very large pieces of equipment. These are the things that provide power generation. They’re doing water management. They may be used on a manufacturing floor. They’re very large pieces of equipment. And because of that, it’s important that SCADA networks are segmented off to their own part of the network.
We’ve had these industrial systems for a very long time. But it was only until relatively recently that we had to rethink how we were engineering these SCADA networks. We needed to provide access to these systems but we wanted to be sure they were segmented from any other part of the network. Today, security is top of mind. We have to make sure that these SCADA connected systems are completely secure and that no one can access these very large and very important industrial systems from outside of the organization.
If you’re a network really of any size, you’re probably going to have brand new equipment and you’re going to have some really old equipment as well. These legacy systems are usually set up to perform a particular function, and it’s usually one that’s very important for your organization. But unfortunately, sometimes the older equipment doesn’t play very well with the newer equipment so it makes sense to segment off a section of the network just for these legacy devices and legacy applications.
This is also a scenario where you might want to separate out a private network from a public network. We commonly, these days, have these guest wireless networks so that anybody who comes into our building can gain internet access. But we want to restrict that public network from accessing anything on the inside. So we’ll set some very clear delineation and segment the network so that only your internal devices are on the private network, and the users and the guests are always on the public network.
We often see this segmentation on firewalls where we clearly have an inside and an outside. But we also my create a DMZ, a demilitarized zone, where we might keep some services so people from the outside can access those services but while they’re doing that, they’re not gaining any access to the inside of our network.
One interesting use of segmentation is to build a honey pot, or a honey net. This is where you’re creating a server, or a series of devices, that’s specifically designed to attract the hackers. And you would have people come into that network, which looks like a perfectly normal network, but in reality it’s one that you’ve designed with your own servers and your own data, and you’re able to watch what the bad guys are doing to gain access to these devices. A honey pot, or honey net, can be a very valuable research tool but you obviously want to have it segmented onto its own network.
Most IT organizations are going to have a testing lab where you can test patches and install new network configurations without the worry of affecting anything else. So it’s important that your lab be segmented off onto its own section of the network. You might also want to segment the network if you’re doing some type of load balancing. That way if you lose one part of the network the load balancer can continue to send information to the other part of the network because you originally segmented those off into completely separate areas.
And if you’re trying to improve the performance of certain applications, especially high bandwidth applications that do imaging, then you may want to create a very specialized high speed network that’s segmented off just for the use of that particular application.