Blog / Why is Network Segregation Important?
Don’t let the bad guys weaponize your own network against you.
One of the common results of the security audits I perform is the recommendation to segregate the client’s networks. In fact, network segregation is often viewed as just a way to organize or devices and usually gets put into the pile of other IT “nice-to-haves” that will likely never materialize. If your network wasn’t segregated when it was originally being setup, then it’s going to be a hard project to sell because it does involve disruption if it’s done during working hours, but costs extra in overtime or after-hours pay scales when done outside them. Nevertheless, it’s a valuable part of a strong cybersecurity posture.
To be fair, many organizations do have at least a minimal degree of network segregation, often based on the office locations (ie: Main office, Satellite office 1, Satellite office 2, and so on). While this can be useful for organizational layout and offers some level of security, it rather misses the point.
So what is the point? Well, simply put, anything on your network can be used as a weapon. And I do mean anything.
When phones become weapons
Even if a device isn’t accessible from the internet it can still be used as a weapon. Just as an example, consider this case when a phone was used by a hacker as part of a ransomware infection plot. In this situation, the phones suffered from a Remote Code Execution vulnerability (RCE). Basically there was a way to force the phones to download and run malicious code.
How is such a thing is even possible? Well, if someone using a PC goes somewhere shady, and that PC can connect to a phone or other mobile device, then it’s possible to send a few packets of malicious code to the device and make it do everything. To make matters worse, the PC wasn’t ever infected with a malware payload to be detected by security software; it was just delivering instructions to the phone, which likely doesn’t carry much in terms of antiviral software as far too few mobile devices are properly protected.
Network segregation keeps everything in its lane
Hopefully now the best reason for properly segregating your network is obvious; if you don’t erect some kind of barriers within your network, even something as simple as a light switch (albeit a smart, connected one) could be weaponized by something as simple as surfing the internet and accidentally hitting a compromised website. There’s also not really a good reason for it being possible. There’s no reason a PC should be able to talk to phone on a whim, and so no reason for building that capacity into your network. Yes, it needs to happen now and then and there should be a way to enable communication between them when needed, but just because devices like VOIP phones, printers, and IoT equipment need access to your network shouldn’t give them free run of it, especially since such devices almost never come with security software.
Segregating your network helps prevent these situations by making sure devices in your network only talk to the ones they need to when they need. Think of it like a walled garden, though in this case the plants are devices and the garden plots their places on the network. By evaluating the purpose of each device and putting each in its appropriate plot, then setting up paths for regular communication but preventing anything else, you help keep pathogens in one plot from infecting other plots.
Oh, and if the security angle isn’t a good enough reason, how about I provide a business case? Because there’s no reason for a network connected lightbulb to chew up the bandwidth that may be needed for business-critical things, like VOIP phone calls. Network segregation improves security and helps make sure things running smoothly.
‘King Lear’ contains a meaningful quote for this newsletter; “Oh, that way madness lies; let me shun that.”
If you’d like help protecting your devices through network segregation, contact a TRINUS cybersecurity specialist and keep your network, and IT, stress-free.
Courtesy your friendly neighbourhood cyber-man.