Network Segmentation

Flat Network

• Easy to maintain
  • All hosts and services talk to one another
  • Workstation to workstation, Server to server, SSH into any box
• Difficult to monitor and secure
  • Attackers can easily navigate the network
  • Attackers are not visible unless they are moving around
  • Rate of infection and compromise is high

Isolate Management from LAN/Production

• How can we separate traffic and services so that it always originates form an isolated and protected space?
  • SSH, Syslog, and RDP
• ! = Traffic that violates this policy becomes very visible and becomes an exception, rather than noise on a non-segmented network

Methods

• Physical separate management network
  • Option 1: Dual homing managed hosts
  • Option 2: Router management traffic from MGMT -> PROD through a firewall
• VLANS
• Proprietary
  • Windows Server and network isolation (IPsec based)