Network Segmentation Security Risks
Again, network segmentation is a useful security layer in a defense-in-depth strategy. For example, it controls malicious attacks by:
- Restricting worm activity to the initially infected segment;
- Allowing isolation of compromised segments without taking down the entire network; and
- Providing another obstacle to human intruders who might gain logical access to a network-attached device.
But as with any security control, segmentation is not a panacea. VLAN controls can be bypassed with widely available products. Since a motivated black hat hacker can break through segmentation barriers, this control should not be considered alone for regulatory compliance.
For example, some vendors might try to sell a VLAN product to segregate PCI-controlled data as a way to minimize PCI compliance costs. Businesses who buy into this cost-reduction argument, and which fail to support segmentation with other controls, are putting themselves and their customers at risk.
In addition to IPS solutions, other controls to consider as support for segmentation include:
- Blocking all packets without a legitimate source address (e.g. packets with a source address outside the protected network's IP address space); and
- Blocking all packets from an external source which use an internal address as a source address.
Both of these settings prevent IP address spoofing, one commonly used method to bypass VLAN access control lists.
Finally, segmentation itself can be a business risk. If not properly designed, it can present an obstacle to both IT and business operations.
The network should be segmented only as far as is appropriate, given data sensitivity, server criticality, and the organization's willingness to accept risk. The basic premise that complexity is the enemy of security should be kept in mind during network design. Further, adding segments just because you can can lead to:
- Unexpected and unnecessary network performance issues;
- Higher than necessary costs for network devices; and
- VLAN and user access management challenges.