Skip to content

Best Practice in Security Layers

Security layers are Security Best practice. No one type of security provides a complete security solution. This report focuses on network segmentation. The separation of critical networks from the Internet and other internal, less sensitive networks is a key method to limit access and minimize loss if/ when an intruder gains access to your environment. Network segmentation, which includes splitting the larger network into smaller network segments, can be achieved through firewalls, virtual local area networks (VLAN), and other separation techniques.

Segmentation’s importance has been recognized as a key component of strong security. Target in 2014 was breached using an HVAC vendors stolen login credentials that was used and through badly configured segmentation allowed the hacker to access the POS systems. While that happened several years ago, it exemplifies the same risks we face today and shows how proper segmentation is a key security measure. But how does network segmentation stop malware? If your initial defenses against the virus or ransomware attacks are penetrated, segmentation allows you to isolate malware and limit the areas it can reach protecting other areas of the network.

It is highly recommended that you apply technologies at more than just the network layer. Each host and network have to be segregated and segmented. Even the smallest host and network should be segmented at the tiniest level, when practically manageable.

If a network or a service doesn’t need to communicate with another host or network, it should not be allowed. If a particular host or network needs to “talk” to another service or network on a specific protocol and nothing else, access should be reviewed and only required connections permitted.

Separating networks and hosts based on the importance of the business operations in your organization is also a good move. This includes different platforms, depending on various security classifications and security domains for specific networks or hosts. Also, consider separating management networks as well as the physical isolation of “out of band” management networks for vulnerable environments.

Every user, host, and service should not have access to all other users, services, and hosts. Also, the access should be restricted only to those whom it is required to perform their assigned duties and responsibilities. All those who bypass or breach the rules of authorization and authentication should be closely monitored and disabled if needed.

Allow access to only legitimate network traffic, which is authenticated and authorized, rather than denying access to bad traffic or blocking a specific service. This Security layer is a key component of an effective security policy and will also improve your organizations’ capacity to mitigate and detect potential network breaches.