Network security segmentation

A network can have the most sophisticated security mechanisms implemented, but without network segmentation, their value will be greatly undermined, if not invalidated. Internal segmentation is often overlooked, because focus is on the external threat. Unfortunately, the external threat is counting on weak internal network segmentation to spread Waldemar throughout the enterprise and gain a foothold for exhilaration of critical enterprise data.

Significant investment has been made in network access control (NAC) and perimeter technologies, meanwhile the latest threat introduced to the network through a trusted host is wreaking havoc on internal client systems and the most critical systems in the enterprise. The need to segment the user base of systems from server systems is a must; or else any slight deviation of the end client security posture can put the entire enterprise at risk.

The shift of security architecture to a data-centric model versus a network access-centric model confuses the method in which we have continued to approach securing the network perimeter. We have marched to the same wisdom of a DMZ sandwiched between firewalls or now the same firewall with multiple interfaces. This network design addresses network connectivity and is non-important for real data protection. While it is true, the basic low skill attacks will be stopped, but we have seen that this design does not thwart even the semi-sophisticated attack methods. The reason is because the data is not protected, but the network perimeter is.

While it is important to protect the network and implement segmentation via firewalls, we cannot stop here to protect our network assets. If we approach the systems as storage for data, we can overlay our trust models to enforce authorized access methods that can be much more agile than the typical DMZ, business partner zone, or remote access network architecture. Do you recall the section in , Security Architectures, where I suggested that security architecture has been robbed of its individuality by basically working only within the confines of network architecture? Security architecture is a distinctly different practice with differing rationale and therefore needs to be aware of the network design, but the network is merely transport; let's not elevate it to be the primary defender of our network and assets.