Best-practice-for-network-segmentation

What is this?

This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.

Where can I find diagrams?

Graphic diagrams are available in the Release page
The schema sources are located in the repository

Schematic symbols

Elements used in network diagrams:

Crossing the border of the rectangle means crossing the firewall.

Level 1 of network segmentation: basic segmentation

Advantages

Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.

Disadvantages

The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.

In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.

Attack vector protection:

Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements

Level 2 of network segmentation: adoption of basic security practices

Advantages

More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:

1. mail relays;
2. time servers;
3. other services, if available.
   

Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools. In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment. It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.

Disadvantages

As a result, this leads to the following problems:

1. increasing the cost of ownership and the cost of final services to customers;
2. high complexity of maintenance.

If u like it?

Please subscribe - this is free support for the project

Level 3 of network segmentation: high adoption of security practices

The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees.

Advantages

Implementing security services such us:

1. security operation center (SIEM, IRP, SOAR, SGRC);
2. data leak prevention;
3. phishing protection;
4. sandbox;
5. intrusion prevention system;
6. vulnerability scanner;
7. endpoint protection;
8. web application firewall;
9. backup server.

Disadvantages

High costs of information security tools and information security specialists

Level 4 of network segmentation: advanced deployment of security practices at scale

Each production and corporate services has its own networks: Tier I, Tier II, Tier III.

The production environment is accessed from isolated computers. Each isolated computer does not have:

1. incoming accesses from anywhere except from remote corporate laptops via VPN;
2. outgoing access to the corporate network:
   • no access to the mail service - the threat of spear phishing is not possible;
   • there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.

🔥 Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.

Implement other possible security services, such as:

1. privileged access management;
2. internal phishing training server;
3. compliance server (configuration assessment).

Advantages

Implementing security services such us:

1. privileged access management;
2. internal phishing training server;
3. compliance server (configuration assessment);
4. strong protection of your production environment from spear phishing.

🔥 Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:

1. separate workstations for access to the production network - yes, now you will have 2 computers on your desktop.
2. other LDAP catalog or Domain controller for production network;
3. firewall analyzer, network equipment analyzer;
4. netflow analyzer.

Disadvantages

Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀

Support the project

Please subscribe - this is free support for the project

Have an idea for improvement?

• Submit your pull reguest;
• Create issue;
• Start discussion.