Why you should segment your network into separate firewall VLAN’s
The proliferation of smart phone apps and cloud based services has driven the demand for network connected devices.
Often referred to as the Internet of Things (IOT) virtually every device available today with a battery or power plug includes a wireless or wired network connection. In many cases it’s simply a case of connecting the device to the network and its up and running with minimum technical skills.
The ability to interact and manage those devices is without doubt extremely useful in many circumstances.
Increased cyber security risk
This is also great news for cyber criminals who take advantage of vulnerabilities or security flaws in the devices we connect to our network. These devices are designed to be functional and low cost with minimal consideration for security. A typical business environment might have PC’s, Servers, IP CCTV Cameras, IP Telephones, Building Management Systems, wireless devices and many other IP connected devices on the corporate network.
This provides cyber criminals with a growing platform (attack surface) who look to take advantage of vulnerabilities or security flaws in those devices. For example, an IP telephone or IT CCTV system with unpatched security vulnerabilities could provide malware with the ideal platform to launch a ransomware or other cyber security attack.
How to minimise risk when adding devices to your network
Rule number one, always adopt a “Zero Trust” mindset when it comes to connecting any device to your network. Novi recommend that you create separate virtual local area networks (VLAN) in an effort to keep each system separate from each other. For example the IP Telephony devices should connect to a different VLAN to the server and data network.
What is Internal Network Segmentation Firewalling (ISFW)?
A design process known as Internal Segmentation Firewalling (ISFW) ensures that a firewall sits between each VLAN and inspects and controls traffic travelling between each network.
For example traffic from a laptop on the wireless network (Wireless VLAN) connecting to the server or data network would first need to pass through the firewall for inspection before it’s allowed through.
Similarly traffic from an IP CCTV system attempting to connect to the server or data network would be identified and blocked if deemed in appropriate.
Containing the risk
This process aims to isolate or contain identified threats so they don’t spread from one VLAN to another. In the event that ransomware originates on a compromised device on the IP Telephone network for example it could be prevented from spreading to the wider server or data network.