CISA – Improve network security using segmentation JAN-2022

This is a “must” for all corporations to host a highly restrictive multi-tier firewall using DMZ & network segmentation controls that divide networks into parts.  This helps ensure only part of network would be lost during compromised security v. everything in a non-segmented approach.

CISA Publishes Infographic on Layering Network Security Through Segmentation | CISA

Layering Network Security Through Segmentation Infographic (cisa.gov)

An effective technique to strengthen security, network segmentation is a physical or virtual architectural approach dividing a network into multiple segments, each acting as its own subnetwork providing additional security and control. Creating boundaries between the operational technology (OT) and information technology (IT) networks reduces many risks associated with the IT network, such as threats caused by phishing attacks.

Segmentation limits access to devices, data, and applications and restricts communications between networks. Segmentation also separates and protects OT network layers to ensure industrial and other critical processes function as intended. Properly implemented Demilitarized Zones1 (DMZs) and firewalls can prevent a malicious actor’s attempts to access high-value assets by shielding the network from unauthorized access. Firewalls can be configured to block traffic from network addresses, applications, or ports while allowing necessary data through. Policies and controls should also be used to monitor and regulate system access and the movement of traffic between zones.

The following graphics illustrate the level of effort needed, with yellow representing low effort and red representing high effort, for attackers to breach and navigate an unsegmented network versus a highly segmented network. These depictions are not to be construed as representing an engineering diagram for use in a production environment nor is segmentation the only tool to secure a network.