Firewalls in your network
The principle of watertight compartments and firewalls can also be applied to limit the impact of cyber attacks. You can also equip your network with ‘firewalls’ by dividing it into zones: this is known as network segmentation. If a cyberattack occurs in one of the zones within a segmented network, the attack remains confined to that single zone. This limits the impact of a cyberattack and keeps other segments secure.
Traditionally, network segmentation took place at the level of the network equipment and was primarily a way of maintaining an overview and making the management of your network more efficient. But today, network segmentation is an important part of an IT security strategy. There are now security products and services that not only scan incoming and outgoing traffic but also monitor internal traffic, by monitoring each segment separately.
Why segment?
Recently, an IT manager at a large hospital expressed concern about the security risk posed by external suppliers. His X-ray machines are often serviced by an external technician who temporarily connects their own equipment to the hospital’s internal network. As this equipment is not under the hospital’s control, malware can find its way in through this channel. The client opted to segment his X-ray machines. A firewall was installed in every examination room instead of a traditional switch. This blocks any potential spread of malware within that room before it can infect the rest of the network.
That is just one example of a good reason to segment a network. But there are other parts of your network that you would be well advised to protect properly. Production processes, for example, are often targeted by cybercriminals because that is precisely where an organisation is most vulnerable. An extra layer of security specifically for production is therefore certainly no luxury. Production machinery is also frequently maintained by external parties, whether on-site or remotely. And, as mentioned, this carries its own risks. Industrial firewalls were developed to address these issues. These are traditional firewalls fitted with a robust housing to withstand the harsh conditions within a production environment (heat or cold, dust, etc.). In addition, these firewalls are equipped with security applications that specifically protect against malware targeting industrial processes (such as SCADA).
Getting started with IT network segmentation
The question is not if, but when you will be attacked. It is therefore extremely important to minimise not only the likelihood of an attack, but also its impact. Effective network segmentation is crucial in this regard. But what is the best way to get started with network segmentation? The first step is always to ensure that segmentation is in place at the network level. Creating VLANs for production, the office, Wi-Fi, etc. is crucial. This basic principle alone prevents a great deal of trouble.
After that, you can consider segmenting at the firewall level. There are a number of ways to do this. One of them is to segment zones using physical devices, as we mentioned above. Another way is to have all internal traffic routed and segmented at a central location, such as the data centre, by a single powerful firewall cluster. Essentially, this can be done both virtually and physically. Here, we often opt for virtual gateways, as 10G connectivity is usually necessary to process the high volume of internal traffic efficiently.
The right cybersecurity strategy for your business
Our security experts would be happy to work with you to determine which strategy is best suited to your business. Based on your needs, they will draw up a segmentation plan tailored to your organisation to help you minimise the impact of cyberattacks.