When it comes to network security, most people think of the obvious. Typically that includes firewalls, intrusion detection and prevention systems, and identity and access management. While these components and practices are helpful, they should be considered baseline security. Beyond these, there are a lot of things most people do not think about that can dramatically increase the level of security on a network.
Implementing microsegmentation is one way to take network security to the next level. Microsegmentation basically involves keeping systems separated from each other and filtering the traffic between them to make sure that they are secure and isolated from each. This allows you to police and shape what happens in the network, keeping a breach or attack that takes place in one system from affecting other systems.
Admission control is one of the benefits of microsegmentation. When someone has physical access to the network, it is easy for that person to plug into the system and take it down. By using 802.1X authentication to control access to the system’s media access control (MAC) address — which is the hardware address of the Ethernet card — you can prevent unauthorized users from plugging into the system.
Segmenting users is another strategy for adding a layer of security to networks. With network switching, you can create something called a virtual LAN, or VLAN, which is basically a virtual switch inside of the network switch. By creating VLANs, you can isolate users that don't need to talk to each other.
For example, VLANs allow you to create a network specifically for the HR team, another for the accounting team, and another for system administrators, all on the same system. In order to go outside of their dedicated VLAN, users need to go through a router. Once a router is involved, you can utilize access control lists and other security filtering. VLANs allow you to microsegment your systems with the goal of making sure that one system can't attach to another system.
To implement even more control, private VLANs can be set up. While VLANs keep networks separate, each VLAN may have a number of servers on it. If there are 15 servers plugged into a VLAN, all of those servers can talk to each other. If one gets a worm or a virus, the other servers on the VLAN can be infected. Establishing a private VLAN keeps those servers from communicating, thus keeping the attack from spreading.
Moving up the TCP IP stack to the IP level provides other opportunities for increasing network security. For example, by creating an access control list just like a firewall rule, which will look at the source address, destination address, protocol, and port number, you can create filters that limit the traffic that can move between subnets. Adding that control list to the router limits users that are sitting on different subnets from having unlimited access to the network.
Rate limiting is another security tool that can be implemented at this level. Imagine, for example, that you have a system with a 100GB network that gets infected with a worm. That worm could literally spew 100GB in network traffic into the network, which could wreak havoc and cause the system to crash. Rate limiting keeps traffic from exceeding a predefined amount. In the example of the worm, the increased traffic would violate the network’s standards and be dropped, avoiding a crisis and a costly crash.
Finally, quality of service (QoS) or traffic prioritization can be used to bolster security on a network. If a system gets hacked or has a worm or virus, theoretically the attack could overwhelm the network with traffic and disable critical network functions. This can be prevented on the networking side by enabling QoS, sometimes referred to as a queuing mechanism, to prioritize one type of traffic over another. For example, it can ensure that network availability is prioritized for voice traffic and certain critical application traffic while deprioritizing everything else. In essence QoS defeats the worm by making sure critical traffic continues to get through.
When it comes to network attacks, companies must be asking, “When will it happen?” rather than “Will it happen?” Statistics for 2021 show that a company falls victim to a cyberattack every 39 seconds. Repelling attacks and limiting their damage demands more than baseline security. Applying safeguards that most companies do not think about might be the step that keeps your company safe.