Network segmentation is simply dividing a network into smaller, often isolated subnetworks. By doing this, companies can increase performance, have better visibility, increase cybersecurity postures and compliance, and better protect their networks.
Segmenting a network may sound like an overly complicated and highly technical project to embark on. However, in reality, with good practices and a step-by-step plan you can take on network segmentation without any problem. This guide will show you how.
Table of Contents
6 steps to successful network segmentation
There are two types of network segmentation approaches: physical segmentation, using physical devices such as routers and switches; and logical segmentation, which uses software. This guide will cover both, serving as a blueprint to guide you through the journey of network segmentation no matter which approach you choose to take.
1. Know your assets and data
The first thing you need to do is identify your assets and your data. This involves building an inventory and figuring out which assets and data are the most valuable. Ask yourself what is business-critical, but be thorough and include all your data and assets in your inventory.
This step is critical to determine how your network will be segmented. During this stage you can use data inventory software, risk assessment technologies, or vulnerability scanners.
2. Classify your data and asset inventory
Once you have a full visualization of your data and assets, you need to classify them according to sensitivity and importance. This will help you to determine how much protection they need and how they should be segmented.
Common ways to classify assets and data include:
- Confidential: This data should be protected from unauthorized access.
- Private: This data should be protected from unauthorized disclosure.
- Public: This data is not sensitive and does not require a lot of protection.
Confidential and private data and assets are considered high-sensitivity data, while public data is usually considered low-risk.
Note that emails, company policies, and other related documents are mid-level data, while online public information such as social network data, websites, or postings are low-risk data.
You should consider any data or asset that, if affected, would disrupt or affect business operations, as highly sensitive. This includes everything from financial and customer data to supply chain information.
3. Build a network map with data flows
With the information from steps one and two, it is now time to create a network map. This map must include all the devices, users, and connections of your network and their relationships. It must also have a clear diagram of how data flows.
With this map, you will begin to have a clear idea of how you can subdivide your network avoiding pitfalls and mitigating any vulnerability.
If you want to automate this process you can use different solutions to create network maps. Top vendors include SolarWinds Network Topology Mapper, NetBrain, ManageEngine OpManager or the free open-source Spiceworks Network Mapping. These solutions offer features that allow you to map out data flows.
There are three main types of data traffic:
- Northbound traffic: forward-looking traffic leaving your systems.
- East-west traffic: inner system data traffic.
- Southbound traffic: inner-looking traffic entering your digital surface.
Northbound traffic includes all the data and assets going through your network flowing out of your system. This includes user-generated traffic or management administrative traffic. A user browsing the internet or your workers sending out emails are common examples of Northbound traffic.
East-west traffic is everything flowing within your infrastructure. This includes data and assets moving from data centers, servers, devices, and applications. This traffic can be broken down into inter-server — data in transit or transferring — and storage traffic.
East-west traffic can occupy a significant amount of bandwidth, be used for mid-risk and highly sensitive data, and congest a network. This is why segmenting east-west traffic is commonly a good practice.
Southbound traffic is network traffic that flows from a data center to the outside world. It is typically used to describe traffic that originates from within the data center — such as from servers, storage devices, and applications — and is sent to the internet or other networks.
Southbound traffic can also be grouped into two main categories: application traffic (generated by applications, such as web traffic, email, and file sharing) and management traffic (used to manage the data center, such as traffic from monitoring systems and security devices).
Southbound traffic can be a major source of security risks and is also usually segmented to strengthen security postures.
4. Design your segmentation plan
Your network map, low-mid-high labels, and traffic flows have already given you a definite view into which subnetworks you need to create. Now in this stage, you will decide which methods, techniques, physical concepts, or software you are going to use to segment your network.
Here is where you decide whether to use physical or logical segmentation, or both. Evaluate which is best for each subnetwork and design your segmentation plan.
Physical segmentation includes physical devices such as routers, switches, and air gaps.
Logical segmentation uses software to divide the network. While this is a more complex type of segmentation, recent solutions are making it easier for any company to use them.
Top vendors for logical network segmentation include Palo Alto Networks Prisma Cloud, Cisco ACI , VMware NSX, Juniper Networks Contrail, and Fortinet. Together they offer a wide range of software-driven networking and logical network segmentation solutions which include:
- Policy-based segmentation.
- Role-based access control (RBAC).
- Device and user profiling.
- User access security technologies.
Consider your IT expertise, budget, security risks, and how important your data and assets are to best determine which technique and technology you will use to segment your network.
5. Run your segmentation plan
At this stage you should have everything you need to implement the plan you have designed. Make all the necessary changes to your infrastructure, configure your security and devices, and update your policies and procedures.
Make sure your IT team is fit for business and that communication channels are open to discuss progress, goals met, and possible problems that may arise to implement upgrades, adjust and optimize your network segmentation.
You can run small tests, for example, segmenting first one department or area of business and then moving on and scaling. Think big but take small wins. Test, gather feedback, and retest everything again.
6. Monitor, maintain, and optimize
Network segmentation is not a once-and-done deal. You have to constantly monitor the network, profile users and devices, gather data traffic flow information, check for bugs and vulnerabilities, and make upgrades to optimize the infrastructure.
At this stage, while humans in the loop are essential, you can also leverage the latest in network monitoring technologies which will help you automate most of the processes, especially those such as network information gathering and analytics, alerts and flags, and security and compliance policies and issues.
Can you physically segment a network?
Yes, it is possible to physically segment a network. As mentioned above, networks can be segmented through physical means or through the use of software or a combination of both.
The steps to successfully physically segment a network are exactly the same as described above, except for a variation of step four, where software options would not be considered for use.
From extreme concepts like air gap — where devices, servers, or computers are completely disconnected from any other device or the internet — to the more standard use of physical switches, routers, or other network devices, there are many physical options to create subnetworks within a large network.
Physical network segmentation can protect critical systems, such as the corporate network, from unauthorized access, prevent the spread of malware or other malicious traffic, help meet compliance, and improve network performance by reducing congestion.
However, physical network segmentation may be more expensive than logical segmentation as hardware costs need to be considered. Additionally, logical segmentation software provides visualization tools and can integrate with other solutions and software also receives constant updates and support. Consider the importance of these factors for your company before deciding.
Bottom line: Network segmentation the right way
No matter what type of network segmentation approach you choose to use, always follow the steps listed above to make sure you have a robust, ordered, and clear network segmentation strategy.
Make sure security and privacy are included from the very beginning of your plan. Once deployed, continually monitor and optimize your subnetworks and keep an eye on new technologies that could help you increase performance and reduce costs.
For help establishing a securely segmented network, here’s our guide to the best network segmentation software available today.