Most people think of network security with firewalls, intrusion detection and prevention systems. These components and practices are useful, but they should be considered basic security. Microsegmentation allows you to control and shape what happens in the network, preventing a breach or attack that occurs in one system from affecting other systems. Quality of Service (QoS) or traffic prioritization can be used to enhance security on a network. It can ensure that network availability is prioritized for voice traffic and some critical application traffic.
When it comes to network security, most people think of the obvious. This typically includes firewalls, intrusion detection and prevention systems, and identity and access management. While these components and practices are useful, they should be considered basic security. Beyond that, there are many things that most people don’t think about that can dramatically increase the level of security on a network.
Increase network security with microsegmentation
Implementing microsegmentation is a way to take network security to the next level. Microsegmentation is basically keeping systems separate from each other and filtering traffic between them to make sure they are secure and isolated from each other. This allows you to control and shape what happens in the network, preventing a breach or attack that occurs in one system from affecting other systems.
Admission control is one of the benefits of microsegmentation. When a person has physical access to the network, it is easy for that person to log into the system and turn it off. By using 802.1X authentication to control access to the system’s Media Access Control (MAC) address, which is the hardware address of the Ethernet card, you can prevent unauthorized users from logging into the system.
User segmentation is another strategy for adding a layer of security to networks. With network switching, you can create something called a virtual LAN, or VLAN, which is basically a virtual switch inside the network switch. By creating VLANs, you can isolate users who do not need to talk to each other.
For example, VLANs allow you to create one network specifically for the HR team, another for the accounting team, and another for the system administrators, all on the same system. To leave their dedicated VLAN, users must go through a router. Once a router is involved, you can use ACLs and other security filtering. VLANs allow you to micro-segment your systems to ensure that one system cannot connect to another system.
To implement even more control, private VLANs can be configured. While VLANs keep networks separate, each VLAN can have a number of servers. If there are 15 servers connected to a VLAN, all these servers can communicate with each other. If a worm or virus is caught, other servers in the VLAN may be infected. Establishing a private VLAN prevents these servers from communicating, thus preventing the attack from spreading.
Increased network security at the IP level
Moving the TCP IP stack to the IP tier provides further opportunities to increase network security. For example, by creating an ACL like a firewall rule, which will look at the source address, destination address, protocol, and port number, you can create filters that restrict traffic that can move between subnets. Adding this control list to the router prevents users who are on different subnets from having unrestricted access to the network.
Rate limiting is another security tool that can be implemented at this level. Imagine, for example, that you have a system with a 100 GB network that is infected with a worm. This worm could literally spew 100 GB of network traffic onto the network, which could wreak havoc and cause the system to crash. Rate limiting prevents traffic from exceeding a predefined amount. In the worm example, the increased traffic would violate network standards and be dropped, thus avoiding a crisis and costly crash.
Finally, Quality of Service (QoS) or traffic prioritization can be used to enhance security on a network. If a system is hacked or contains a worm or virus, the attack could theoretically overwhelm the network with traffic and disable critical network functions. This can be avoided on the network side by enabling QoS, sometimes called a queuing mechanism, to prioritize one type of traffic over another. For example, it can ensure that network availability is prioritized for voice traffic and certain critical application traffic while deprioritizing everything else. Essentially, QoS defeats the worm by ensuring that critical traffic continues to pass.
When it comes to network attacks, organizations need to ask themselves, “When will this happen?” rather than “Is this going to happen?” Statistics for 2021 show that a company is the victim of a cyberattack every 39 seconds. Repelling attacks and limiting their damage requires more than basic security. Applying protective measures that most companies don’t think of could be the step that will keep your business safe.
. . . comments & After!