Best-practice-for-network-segmentation
What is this?
This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.
Where can I find diagrams?
Graphic diagrams are available in the Release page
The schema sources are located in the repository
Schematic symbols
Elements used in network diagrams:
Crossing the border of the rectangle means crossing the firewall.
Advantages
Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.
Disadvantages
The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.
In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.
Attack vector protection
Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements
Advantages
More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:
- mail relays;
- time servers;
- other services, if available.
Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools.
In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment.
It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.
Disadvantages
As a result, this leads to the following problems:
- increasing the cost of ownership and the cost of final services to customers;
- high complexity of maintenance.
The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees.
Advantages
Implementing security services such us:
- security operation center (SIEM, IRP, SOAR, SGRC);
- data leak prevention;
- phishing protection;
- sandbox;
- intrusion prevention system;
- vulnerability scanner;
- endpoint protection;
- web application firewall;
- backup server.
Disadvantages
High costs of information security tools and information security specialists
Level 4 of network segmentation: advanced deployment of security practices at scale
Each production and corporate services has its own networks: Tier I, Tier II, Tier III.
The production environment is accessed from isolated computers. Each isolated computer does not have:
- incoming accesses from anywhere except from remote corporate laptops via VPN;
- outgoing access to the corporate network:
- no access to the mail service - the threat of spear phishing is not possible;
- there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.
Implement other possible security services, such as:
- privileged access management;
- internal phishing training server;
- compliance server (configuration assessment).
Advantages
Implementing security services such us:
- privileged access management;
- internal phishing training server;
- compliance server (configuration assessment);
- strong protection of your production environment from spear phishing.
- separate workstations for access to the production network - yes, now you will have 2 computers on your desktop;
- other LDAP catalog or Domain controller for production network;
- firewall analyzer, network equipment analyzer;
- netflow analyzer.
Disadvantages
Now you will have 2 computers on your desktop if you need access to production network. It hurts
Support the project
Please subscribe - this is free support for the project
Have an idea for improvement?
- Submit your pull reguest;
- Create issue;
- Start discussion.