Virtual segmentation uses the same design principles as physical segmentation but requires no additional hardware. Virtual separation is the logical isolation of networks on the same physical network. Virtual Separation of Sensitive InformationĪs technologies change, new strategies are developed to improve information technology efficiencies and network security controls.
Separate sensitive information and security requirements into network segments.Implement principles of least privilege and need-to-know when designing network segments.
Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access. Organizations can place routers between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. Traditional network devices, such as routers, can separate Local Area Network (LAN) segments. Physical Separation of Sensitive Information A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network. Segregation separates network segments based on role and functionality. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. Security architects must consider the overall infrastructure layout, including segmentation and segregation. Segment and Segregate Networks and Functions Validate integrity of hardware and software.Perform out-of-band (OoB) network management.Secure access to infrastructure devices.Limit unnecessary lateral communications.Segment and segregate networks and functions.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and network administrators to implement the following recommendations to better secure their network infrastructure: How can you improve the security of network infrastructure devices? Owners and operators often overlook network devices when they investigate, look for intruders, and restore general-purpose hosts after cyber intrusions.Internet service providers may not replace equipment on a customer’s property once the equipment is no longer supported by the manufacturer or vendor.Owners and operators of network devices often do not change vendor default settings, harden them for operations, or perform regular patching.Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.Few network devices-especially small office/home office and residential-class routers-run antivirus, integrity-maintenance, and other security tools that help protect general-purpose hosts.The following factors can also contribute to the vulnerability of network devices: Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. Network infrastructure devices are often easy targets for attackers. What security threats are associated with network infrastructure devices?
Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network. Organizations and individuals that use legacy, unencrypted protocols to manage hosts and services make successful credential harvesting easy for malicious cyber actors. An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.These devices are ideal targets for malicious cyber actors because most or all organizational and customer traffic must pass through them. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks. Network infrastructure devices are the components of a network that transport communications needed for data, applications, services, and multi-media.
0 kommentar(er)
