PACE-IT: The Importance of Network Segmentation

The importance of network segmentation.

Instructor, PACE-IT Program – Edmonds Community College

Areas of expertise Industry Certifications

PC Hardware

Network Administration

IT Project Management

Network Design

User Training

IT Troubleshooting

Qualifications Summary

Education

M.B.A., IT Management, Western Governor’s University

B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions.

Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

The importance of network segmentation.PACE-IT.

– The OSI model and segmentation.

– Reasons for segmentation.

The OSI model and segmentation.The importance of network segmentation.

The OSI model and segmentation.The importance of network segmentation.

– Segmentation.» Taking a single network or system and breaking it into

smaller discrete units.» This can be achieved physically or logically.» There are many reasons to segment a network.

• To ease administrative tasks.• To achieve performance gains.• To increase security.• To comply with regulations.

– Segmenting the network at different OSI model levels.

» Networks can be segmented at various levels of the OSI (Open System Interconnection) model.

• Physical layer (Layer 1): taking a single network and making it into more than one through the use of new cable runs and equipment (the most extreme example of segmentation).

• Data link (Layer 2) and network (Layer 3): taking a single network and making it into more than one by logically dividing the network (least amount of physical resources required).

Reasons for segmentation.The importance of network segmentation.


– Compliance.» Some rules and regulations require that certain data be

kept separate and secure (e.g., Payment Card Industry Data Security Standard).

• Segmentation allows for the regulated data to flow across its own network keeping it more secure.

– Network performance optimization.» As networks increase in size, the amount of data that

flows through them increases. This can slow down the performance of the network.

• Segmentation breaks the larger network into smaller units, which can lead to an increase in performance on those new segments.

– Creating high performance networks.

» Some applications require more bandwidth in order to perform at a desired higher level.

• VoIP, video teleconferencing (VTC), and media nets (streaming services) all perform better on their own segments.


– Separate private from public networks.

» Organizations often allow the public to access the Internet from their locations (e.g., free Wi-Fi at Starbucks).

• Segmentation allows this traffic to be kept separate from the private corporate traffic.

– Legacy systems.» Some organizations use systems that are considered

critical, but are not capable of residing on the modern network.

• Segmentation allows the legacy system to reside on its own subnet.

– Testing labs.» The labs can be used to test new applications,

operating systems, update patches, etc. If these tests occur on the main network, it is possible that the testing could inject a problem into the main system.

• Segmentation allows for testing to occur in a secure, easily controllable environment.


– Security.» One of the main reasons to perform network

segmentation.• Segmentation allows network and systems

administrators to more easily control the flow of data between systems.

• Segmentation allows network and systems administrators to more easily control access to network resources.

– Honeynets.» Network segments that are created with the sole

purpose of attracting any network attacks through the use of multiple honeypots.

• Honeypots are systems that are configured to be attractive to network attackers, helping to draw them away from main systems.

» The network segment of honeypots allows the main network to remain secure, and gives network administrators an opportunity to study an attack (including methods of entry) so that countermeasures can be developed to prevent future breeches.


– SCADA (Supervisory Control and Data Acquisition) systems.

» The most widespread of ICS (industrial control system).• The use of coded signals over communications

channels to provide control of remote equipment.• Commonly used in industrial applications to monitor

and control systems.» Utilities often use SCADA systems to control their

operations, through the use of a DCS (distributed control system) network.

• The DCS allows for the control of multiple SCADA systems from a single location.

» The Stuxnet virus attacks SCADA systems and can spread through the DCS, leading to more damage from the virus.

• Segmentation of the DCS can limit the amount of damage caused by such a virus attack on industrial processes.

What was covered.The importance of network segmentation.

Segmentation is taking a single system or network and breaking it into smaller discrete units. Network segmentation can occur at various levels of the OSI model. At Layer 1, the segmentation is physical (completely separate cable runs and network hardware). At layers 2 and 3, the segmentation is logical (the segmentation occurs through programmable configurations).

Topic

The OSI model and segmentation.

Summary

There are many reasons for segmenting networks and systems, including compliance, network performance optimization, creating high performance networks, security, creating honeynets, and securing and isolating SCADA systems.

Reasons for segmentation.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.

PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.

PACE-IT: The Importance of Network Segmentation

Education

Transcript of PACE-IT: The Importance of Network Segmentation