Traditional network infrastructures were always planned with a focus on connectivity rather than on securing users and the underlying IT. When it comes to security, is such an approach still acceptable today and what do lack of visibility, insufficient control and poor transparency in the corporate network mean? I’ll cover the answers to these question and other technical aspects of a secure network design in this blog.
Networks that were planned at some point in the past are no longer completely up-to-date with IT standards meaning that businesses are still using obsolete IP concepts and an outdated network logic. This is particularly the case at German SMEs, which often still take an Any Trust Network approach, concentrating predominantly on connectivity.
On the one hand, flat IP network concepts without recognisable security zones enable seamless communication between all users and application servers, because data packages can be transferred unfiltered from all locations to all areas of the network. On the other hand, however, they mean that network zones cannot be monitored through security gateways (e.g. firewall or IPS), which means that potential malware, network trojans and other malicious software such as ransomware can spread throughout the entire network and cause significant damage.
It is worth highlighting the devastating effects wreaked by malicious software, which, in addition to the failure of an entire IT infrastructure, can also cause critical IT-supported processes and workflows to be paused for an indefinite period of time. When a business-critical system goes offline, the consequence can be that all activities come to a standstill for the entirety of disaster recovery.
To make matters worse, potential attackers and malicious code can become established on the network and remain undetected until they have collected all the information they need to carry out an attack, such as data theft, encryption or blackmail.
Without a certain level of network security management and monitoring, IT admins are working blind meaning they can neither react quickly nor configure proactive operations. In order to detect network intrusions, you first need to know what your network normally looks like, but, as surprising as it may seem, businesses normally only consider this after an attack.
There’s so much data traffic and noise in the average data centre that it can be tough to differentiate between what’s normal and what’s not—permitted DNS lockups vs. advanced malware infections, large volumes of data streaming traffic vs. Denial of Service attacks, penetration testing vs. privilege abuse.
Organically grown, flat networks need to be rethought, modernised and restructured so that they can keep up with security requirements today and into the future. New network architectures with virtual layers underpin traditional approaches to network security.
The array of features range from network firewalls with intelligent intrusion prevention and malware detection, software to protect servers and end devices, and intelligent web security gateways to data leakage prevention and cloud-based security features.
Zero trust is a security concept based on the principle that all devices, users and services should not be trusted, regardless of whether they are within the company network or not. It demands thorough measures for authenticating all users and services and for monitoring network traffic.
This security concept is based on the principle of segmenting the network into security zones, which doesn’t only include micro-segmentation, but also measures for segmenting zones based on Layer 3.
What does network segmentation mean for IT security?
Generally speaking, the more a network is segmented, the more secure it is, but you should be careful of going too far. The biggest challenge is creating as many zones as possible without putting network integrity and time limitations at risk.
If you would like some support in a segmentation project and want to find out more about the benefits of Zero Trust models, our network and security experts at the BISS Competence Centre (Bechtle Internet Security and Services) will be happy to set up a workshop. Request an appointment today and we'll set you on the path to a Zero Trust network.