Network Segmentation

What is network segmentation?

Network segmentation is the physical division of network into separate parts. A network segment can contain just one machine or many machines. Each network segment can have it's own hub or switch. In most cases a contiguous range of IP addresses will be assigned to each segment. Using a FireRack firewall, each segment can be protected from the other segments using it's own set of firewall rules. Any data moving between segments must pass through the firewall.

Why is network segmentation necessary?

If an attacker successfully compromises a single machine in a network segment, every machine in that segment is at risk. A single compromised machine which shares a hub with other machines, can packet-sniff data going to the other machines. This data could contain logins, passwords or other sensitive information.

Although the use of a switch instead of a hub can minimise the impact of packet sniffing, switch security can also be circumvented. A compromised machine connected to a typical switch is able to send broadcast packets to all other machines connected to that switch. Such a machine can steal the identity of another machine on the switch by announcing that it is the owner of that machines IP address. When all is said and done, switches are primarily designed to improve network performance, not to act as a firewall on a LAN.

Typically the attacker will have compromised a machine in the DMZ (DeMilitarised Zone) segment. By segmenting your network, you can contain that security breach to just the DMZ. Any attacker who has compromised a machine in the DMZ has still got to traverse the firewall to attack any additional segments, such as the private segment. A well-configured firewall will not allow machines in the DMZ to connect to arbitrary machines or ports in the private segment.

Our main objectives

Our overriding objectives in segmenting the network are:

  • Maximise the security of the private network segment
  • Damage Limitation. Minimise the potential scope of a security breach.
  • Segregate high risk areas

In most organisations, we do not wish offer up data such as staff pay, personal staff data, internal reports and detailed accounts on our publicly accessible web site. If your web site and your confidential data reside in the same network segment, this just might happen. For this reason we pay special attention to the "Private" segment of the network. It is the network segment which should have zero exposure to the Internet.

We must identify high risk areas, such as our publicly accessible web servers. If we place them in a separate segment, we can protect our private network and other segments from them, if (or when) they are compromised.

Common segmentation scenarios

The way administrators segment their networks will vary widely depending on the way their company operates and interacts with the Internet. Whatever model of business you operate, you must always plan for the worst possible case. There follows three examples for four common types of organisation:

1. Typical Small Business

The main use this small business makes of the Internet is to access information on the World Wide Web. This company also hosts it's web site on its own web server and runs its own mail server. No other organisation needs authoring or administrative access to these servers.

As this company is exposing only two services, they have chosen to host both services in the DMZ. They have chosen to rely on a switch to minimise the risk of packet-sniffing within the DMZ.

Segments:

  • Private Segment - All of the workstations used by the employees and all servers containing data not for public access are hosted in this segment. The firewall allows inbound mail to the internal mail server, only via a mail relay in the DMZ.
  • DMZ Segment - The web and mail-relay servers reside here. There is no data on the web server that is considered confidential. The web server cannot connect to machines on the private network, although they can connect to it for authoring purposes. All Email going to and from the company goes via the mail relay. The relay is permitted to connect to internal mail server on its port 25 (SMTP) only.

2. Internet Service provider / Web Hosting Company

In addition to the needs of the Small Business above, the Web Hosting Company has a number of servers that are accessible for authoring and Email retrieval from arbitrary external IP addresses. This automatically make this network far harder to secure than the Small Business Model.

The web servers may allow authors to install their own cgi-scripts. In spite of the hosting companies best efforts, not all cgi scripts can be effectively vetted. Web sites are uploaded to the server by FTP, using plain-text passwords that could potentially be intercepted. Email is being retrieved from the mail servers using pop3. Again these passwords could be intercepted. The company also runs a primary DNS server, which hosts domains for all of its customers. If the DNS server was to fall into the control of a cracker, he could steal the companies Email and/or redirect their web site.

This company wisely works on the assumption that any one of their servers could be compromised at any time. This could be due to the exploitation of an unknown remote or local vulnerability. They have concluded that the web servers are the greatest area of weakness, and that the DNS server is their most sensitive and valuable resource.

Segments:

  • Private segment
  • Public Web Servers - This contains the web servers which host their customer's web sites
  • Mail Servers - The customer's Email is processed by these servers
  • DNS Server - The companies only primary DNS server resides here
  • Corporate Web Server - This server hosts the company's own web site and is linked to a database containing sensitive and valuable information.

3. Colocation Hosting Company

This is the most hostile environment of all. The colocation hosting company is hosting servers for many different customers. These customers do not know or trust one another. To make matters worse, the co-lo company does not administer any of the servers for their customers. Each customer is responsible for securing, patching and monitoring their own server.

So, in addition to protecting each colocated server from outside attackers, the colocation company must protect it's customers from each other. It is inevitable in a hosting environment such as this that machines will be hacked. The object of this exercise is to ensure that when a hacker compromises one machine, this does not place other customers in jeopardy.

This first decision that is made is that switch security is not good enough. Connecting multiple co-lo machines to a switch is asking for trouble. Not only are the machines not separated by a firewall, there is also the possibility that a hacked machine will pose as other machines and intercept their data traffic.

The solution chosen is to place each colocated machine in its own network segment. This can be done by using a MultiPort firewall, such as the FireRack MultiPort. Each firewall can support up to 4096 separate segments. IP address wastage has been avoided by using the "Transparent" Firewall feature.

Segments:

  • One segment per colocated server / network
  • As many 20 segment Firewalls as necessary

4. Educational Institution

Typically Schools and Colleges will have one or more networks to support the variety of different classes of workstation they host. Just like in colocation environments, it is unwise to assume that every machine on the network(s) can be trusted. Some machines may have had back doors installed by students. Internet worms and viruses could easily be inadvertently introduced on communal machines, threatening the safety of the overall network.

Many institutions have coped with this threat by creating separate networks for Administration and Educational departments. Although this is a wise decision, it can give rise to a number of problems:

Each network needs it's own independent means of Internet Access. Obviously this will lead to an increase in costs for the Institution.

Many firewalls use single rule lists to manage connectivity between all segments. An attempt to use of such a firewall to join segments can easily lead to an inadvertent exposure between segments.

The fragmentation of the network can lead to logistical problems. Copying large blocks of data from the Administration segment to the Educational segment might be slow or impossible.

These potential pitfalls can be avoided by using a FireRack firewall. A single Internet connection can be safely shared, with no possibility that one segment can harm another. Each segment is protected by its own Virtual Firewall. So, a badly written rule in one segment will not threaten the security of another. If the Institution so chooses they can have many segments being handled by a single FireRack firewall. Also control of different segments can be delegated to the different departments.

Jesus College Cambridge have written this paper on their reasons for choosing a FireRack firewall.

Separating your machines

For the purposes of this section, a server is defined as a machine which must be publicly accessible to any or all Internet users, but not via a VPN (Virtual Private Network). A client is defined as a machine that must be capable of making connections, but doesn't receive connections from the Internet (e.g. a Windows Workstation).

Ideally a machine should never be both a client and a server. If you have a Workstation that also acts as a web server, for security reasons you're going to have to split these functions between two machines. To do otherwise would compromise the security of the Private segment.

A server's ability to make connections should be restricted. From time to time the servers may have to access the Internet to download new patches and modules. In order to prevent these machines from making connections to arbitrary services on the net, they should be forced to use a proxy server. This will prevent a cracker from successfully causing the server to open netcat connections back to them, while still allowing necessary http and ftp connections.

Allocating IP addresses

Until the advent of transparent firewalling, it would have been necessary to split you IP address range to accommodate a firewall. If you are using a firewall that doesn't support transparency and you want use routable IP addresses on your servers, you will have to split your IP address range into a least two subnets.

Please don't allocate real (i.e. routable) IP addresses to client (workstation) computers. With a good firewall, there is absolutely no reason why you would. Your firewall should be able perform as a proxy server and Network Address Translation (NAT) appliance.

Assigning routable addresses, in combination with a mistake in your firewall configuration could lead to an unnecessary exposure. Non-routable ranges such as 192.168.x.x and 10.x.x.x can be used in place of "real" IP addresses. This also makes it less likely that you'll have to split your IP address range into multiple subnets.

Your routable IP addresses can be assigned to publicly accessible machines in your DMZ or other exposed segments.

How a "Transparent" Firewall might help

As you've seen above, it is normal practice to split your network address space into at least two and probably more sections. This is usually a necessity when installing a firewall. The new transparency feature of the FireRack Firewall will allow you to segment your network, without segmenting your address space. This has the added advantage of saving IP addresses, as multiple gateway, broadcast and network addresses will no longer be necessary.

If you were to use the transparent feature on a typical Small Business network, with one private segment and one DMZ segment, the firewall might be configured as follows:

The same IP address would be assigned to all three interfaces of the firewall

A route would be added to the firewall configuration telling it that the external router was connected to the external port

A route or routes would be added to firewall indicating which workstation IP addresses could be reached via the private interface

A route or routes would be added to firewall indicating which server IP addresses could be reached via the DMZ interface

Each workstation and Server would continue to treat the external router as their default gateway, even though they are no longer on the same physical network segment

The external router would continue to believe that it could access the workstations and servers directly, without having to be configured explicitly to use the firewall

The firewall now ensures that data flows between the network segments seamlessly, providing the data passes the firewall rules

As you can see, the firewall is transparent to the other machines on the network. No computers needed to be reconfigured to use the firewall, and no address-space segmentation has been necessary.