Network segmentation strategies to protect highly sensitive data

In late March, an OpenSSH backdoor was discovered, luckily early enough to avoid major damage. If this hack had been successful, it could have had devastating consequences on a global scale. Alarmingly, the discovery was due to a combination of luck and the diligence of software developer Andres Freund. This incident highlights that absolute security in IT networks is unattainable, emphasizing the urgent need for robust security measures.

This article discusses the advantages of implementing network-based access restrictions by segmentation and offers simple methods for effective implementation. Introducing the “need to connect” principle as a supplementary measure to the well-established “need to know” principle ensures a consistent approach to safeguarding information. Below, we delve into the technical intricacies of this principle and its relevance in bolstering cybersecurity defenses.

Value and risk of network convergence 

When I began my career, separate networks for different applications were common. For private customers, parallel networks were operated for voice, television and the internet. Industrial companies and utilities used dedicated networks for their applications, most of which were implemented using proprietary protocols. In the good old days, users protected their information by using isolated networks. 

The triumph of IP has led to a convergence of networks with many applications now served by a common IP/Ethernet network. The internet offers inherent connectivity and therefore a very simple way of connecting users, devices, applications and services together. 

Convergence creates simpler networks and offers a high degree of agility and flexibility. New users can access services in the network without time-consuming provisioning. Services can be set up quickly for all users at a central location. The advantage of IP technology lies in its inherent, robust accessibility. 

When an IP device connects to an IP network, it reaches all other connected devices. This positive feature also has its downsides, however, with more opportunities for attackers to infiltrate devices. Users must fortify their defenses against such threats with additional protective functions such as firewalls and IDS/IPS.

The “need-to-connect” principle: preventing unauthorized access to services at all layers

In the high-security sector, protecting data solely at higher network levels on the perimeter or within end devices is insufficient. An attacker should not be given the opportunity to move around the network in the first place. This is best achieved through physical separation, whereby the network is structured with dedicated, protected transmission paths, along with its own transmission facilities, servers and applications. 

This creates an “air gap” between the highly secure network and other facilities, ensuring that unauthorized access to resources can be physically prevented with high reliability. Only authorized users are granted access to the network, in line with the “need to connect” principle.

Unfortunately, this very pragmatic approach of physical separation is not always feasible for both economic and practical reasons. Nevertheless, even within shared networks, there are methods available to isolate traffic from different clients and user groups.

Network segmentation for separating the traffic of closed user groups

Data can be separated across transmission paths in various different ways and at different layers. In the IP layer, traffic can be encrypted and tunneled through the internet. With IP/VPNs, the data in the MPLS core network is transmitted on different LSP paths.

On Layer 2, Ethernet connections can be “virtualized” through methods such as Ethernet virtual private line (EVPL) or virtual LANs (VLAN) to reliably separate user groups. Layer 2 encryption can be utilized to enhance security further. Additionally, implementation variants such as VxLAN emulate VLANs via UDP in IP networks.

There are a few options at the physical transmission level. Different wavelengths, optical fibers, cables or even ducts can be used in fiber optic lines to securely isolate the traffic of different user groups from each other. Layer 1 encryption provides additional security.

Traffic can therefore be separated and isolated at each network layer. Segmentation at the upper network layers allows the underlying network layers to be shared and thus improves the efficiency of a network. However, this is offset by disadvantages in terms of information security due to the higher attack surface, which motivates separation on the lower network layers.

Summary and outlook

A convergent network can be used by many applications simultaneously, offering economic efficiency and high flexibility. However, if the security of information is paramount, reliable and robust separation and isolation of traffic in the transmission network must be ensured. The "need-to-connect" principle can be implemented at several network layers. The most complex and secure measure is complete physical separation in conjunction with Layer 1 encryption. A good economic compromise, especially when connecting locations with high bandwidth requirements, is achieved with Layer 2 separation and robust encryption. Alternatively, for high scalability and fast provisioning, Layer 3 methods such as MPLS-based IP/VPNs or IPsec tunnels are ideal. 

Adva Network Security offers BSI-approved, encrypted optical transmission technology and Ethernet network access devices. This enables secure connection networks with Layer 1 and Layer 2 technology to be implemented, which have already proven themselves in many high-security applications. Recently, a partnership with genua was announced to further enhance the secure network solution with BSI approval, extending it to Layer 3 for comprehensive protection.