• Stars
    star
    3,234
  • Rank 13,874 (Top 0.3 %)
  • Language
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Best practices for segmentation of the corporate network of any company

Anurag's GitHub stats

Best-practice-for-network-segmentation

What is this?

This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.

Where can I find diagrams?

Graphic diagrams are available in the Release page
The schema sources are located in the repository

Schematic symbols

Elements used in network diagrams:
Schematic symbols
Crossing the border of the rectangle means crossing the firewall.

Level 1 of network segmentation: basic segmentation

Level 1

Advantages

Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.

Disadvantages

The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.

In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.

Attack vector protection

Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements

Level 2 of network segmentation: adoption of basic security practices

Level 2

Advantages

More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:

  1. mail relays;
  2. time servers;
  3. other services, if available.

Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools. In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment. It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.

Disadvantages

As a result, this leads to the following problems:

  1. increasing the cost of ownership and the cost of final services to customers;
  2. high complexity of maintenance.

Level 3 of network segmentation: high adoption of security practices

The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees. Level 3

Advantages

Implementing security services such us:

  1. security operation center (SIEM, IRP, SOAR, SGRC);
  2. data leak prevention;
  3. phishing protection;
  4. sandbox;
  5. intrusion prevention system;
  6. vulnerability scanner;
  7. endpoint protection;
  8. web application firewall;
  9. backup server.

Disadvantages

High costs of information security tools and information security specialists

Level 4 of network segmentation: advanced deployment of security practices at scale

Each production and corporate services has its own networks: Tier I, Tier II, Tier III.

The production environment is accessed from isolated computers. Each isolated computer does not have:

  1. incoming accesses from anywhere except from remote corporate laptops via VPN;
  2. outgoing access to the corporate network:
    • no access to the mail service - the threat of spear phishing is not possible;
    • there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.

🔥Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.

Implement other possible security services, such as:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment).

Level 4

Advantages

Implementing security services such us:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment);
  4. strong protection of your production environment from spear phishing.

🔥Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:

  1. separate workstations for access to the production network - yes, now you will have 2 computers on your desktop;
  2. other LDAP catalog or Domain controller for production network;
  3. firewall analyzer, network equipment analyzer;
  4. netflow analyzer.

hippo

Disadvantages

Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀

Support the project

Please subscribe - this is free support for the project

Have an idea for improvement?

If u like it?

Please subscribe - this is free support for the project image

More Repositories

1

USB-file_Stealer

Simple program to steal private files from removable storages
C#
75
star
2

Password-Finder

Fast password finder in MS office files (doc, xls) and other files (rtf, txt, xml) in folders
C#
17
star
3

IP-Bulk-lookup

Fast tool to lookup list of IP adresses
C#
12
star
4

word-metadata-cleaner

Find and remove metadata from MS doc or docx files in folder
PowerShell
11
star
5

OWASP-Network-segmentation-cheat-sheet

8
star
6

Azure-DevOps-Server-segmentation-cheat-sheet

Azure DevOps Server development system segmentation best practices
7
star
7

Word-generator

Create your own custom MS Word files based on templates.
C#
6
star
8

Azure-DevOps-server-supply-chain-attack-tree

Azure DevOps server supply-chain attack tree (map, Attack surface, threat modeling)
6
star
9

CryptCP-automatizator

Программа автоматизации КриптоПРО CryptCP
C#
5
star
10

CR2_photo_Repair

Restore jpeg from corrupted cr2. Программа восстановления jpeg из поврежденных cr2
C#
5
star
11

sergiomarotco

CV ? Ha-ha, nope.
4
star
12

Export-folder-permissions

Simple export permissions on the directory
C#
4
star
13

Password-sheet-generator

The program generates a password for the *.pfx container and a sheet for writing the password
C#
4
star
14

Kaspersky-Installed-software-parser

Program for parsing KSC installed software report
C#
4
star
15

Putty_starter

Faster putty starter + VipNet login
C#
3
star
16

GPassword

Simple examle of Graphical-password for login page
C#
3
star
17

Lightgrep-UI

A simple file search application using regular expressions with UI
C#
2
star
18

rkn.gov.ru.OpenDataSplitter

Вытаскивает из "Реестр операторов, осуществляющих обработку персональных данных" необходимые данные
C#
1
star
19

rkn.gov.ru.OpenDataImprover

Из файла открытых данных формирует только нужные данные о ЮЛ и обогощает их сведениями о штатной численности, а так же контактными данными ответственного за обработку персональных данных
C#
1
star