Blog / The Value of Segregated Networks
Don’t assume your internal network is a safe.
Segregated networks are a complicated affair, but there’s a good analogy to help explain the idea; it’s like building a plant conservatory. Plants are separated according to a set of criteria, and have walkways between each type of plant that allow limited traffic through, in a sheltered and controlled setting. The alternative is just a big open field with plants strewn about everywhere and visitors wandering around however they like. This is fine for the mundane stuff, but not for dangerous, rare/endangered plants, or otherwise valuable plants. You want to make sure there are appropriate protections in place for those.
Like at a conservatory, network segregation requires you separate computers and devices into different networks according to a variety of criteria, typically their role or location, and limit the traffic that can pass between them. This is a simple concept, but why is it a valuable practice?
I’ve written about segregated networks before, but the short and simple value proposition is that they improve security inside your network, helping to limit the damage and losses caused by an internal breach. Most SMB owners assume their firewalls are keeping all the bad internet stuff out of their networks and while that’s mostly true, it’s not stopping things from going on inside your network like a computer talking to a printer or IoT device. Normally speaking your firewall will never even see that traffic.
So you haven’t segregated anything, and every device can talk to every other device. Now, let’s hook up a new device like a printer or network attached storage (NAS). It works fine, but somewhere along the line it’s been forgotten about and hasn’t received an update in years. But it’s still working so no problem, right?
Well first off, regular readers of this newsletter should know that anything not getting an update for years is never not a problem, but I actually want to shift gears a bit at this point and talk about phishing. Unfortunately many organizations are still entirely ignorant of phishing as a concept and do nothing to protect against it… right up until someone gets phished. It’s a seemingly standard attitude, despite the fact the news has been reporting about breaches and incidents on a regular basis for many, many years now. Now, the fallout from falling for a phishing attempt can vary; sometimes attackers are looking for login credentials, other times they’re setting up remote access to the user’s machine, firing off an office macro, etc. There are a lot of options for an attacker to use in a phish, though they will likely focus on whatever method is most likely to succeed, given their target.
Let’s use the example of a user getting phished for remote access to their machine. A successful phisher can now connect to anything the compromised machine can, which, in an unsegregated network, is everything, which means they can even gain a persistent presence in your network by compromising something that doesn’t have built in protections, like a printer or an IoT light switch, and of course older devices are a source of potential vulnerabilities and exploits. At least with a segregated network, the amount of damage the attacker can do is limited to a specific sector of your network, making it much more difficult for you to be the victim of a catastrophic failure.
To be clear, no one is blaming you for forgetting about devices that operate normally because it really is easy to forget about them. However, empathy wanes when proper measures haven’t been taken. If the extent of your network segregation is to just have different subnets for different physical office locations, then catastrophic failure may be caused by a bad actor, but it’s bad planning and configuration to blame.
The play Measure for Measure is the source for this week’s quote; “The miserable have no other medicine but only hope.”
If you’d like to discuss a solution more valuable than hope, contact a TRINUS cyber security specialist and we’ll be happy to help you better understand segregated networks and plan out the proper process to limit disruptions and downtime.
Be kind, courtesy your friendly neighbourhood cyber-man.