What is common in these and so many others is that the attacks could have been stymied by proper network segmentation. I am amazed to see how many business networks are essentially flat networks or poorly segmented without firewall rules preventing inter-segment access. For home/soho networks, the story is even grimmer. Even before the advent of IoT devices, segmentation was and continues to be a must. Now with more and more IoT devices coming on line, the situation is dire.
What is a flat network?
A flat network is a computer network design approach that aims to reduce cost, maintenance and administration. Flat networks are designed to reduce the number of routers and switches on a computer network by connecting the devices to a single switch instead of separate switches. Unlike a hierarchical network design, the network is not physically separated using different switches.
The topology of a flat network is not segmented or separated into different broadcast areas by using routers. Some such networks may use network hubs or a mixture of hubs and switches, rather than switches and routers, to connect devices to each other. Generally, all devices on the network are a part of the same broadcast area. Source: https://en.wikipedia.org/wiki/Flat_network
We also see segmented networks that connect to firewall, but the firewall/router is not configured to block or control what traffic can connect to other LAN or DMZ segments. In this situation it is equivalent to not having a firewall at all.
For the home/SOHO user, I sort of get it. It can be complex but nonetheless necessary. For the business user, come’on, let’s start taking your security seriously.
Imagine this for the typical SOHO environment: Wireless, SmartTV Box(s), Perimeter Alarm, family LAN, SOHO LAN, Lighting IoT, Cameras, etc. In some respects, the SOHO environment is more complex than the small business environment. One really does not want any of these devices talking to each other. But in a flat network, that is what happens! If there is a successful hack of let’s say the Lighting IoT or SmartTVs, then the hacker will have access to the juicy data on the other connected devices like business computers or family computers with Tax records! And then there is privacy. It is well known that likes of Google, Roku, Apple TV, Netflix want your data! Do you really want to give these company access to your entire network and all devices?
The business environment has similar challenges. building automation systems, perimeter security systems (card access etc.), internal, cloud and vendor servers, multiple departments that should have access controlled from other departments (think Human Resources payroll information), third party partner access, remote employee access, mobile devices, etc. Despite this – flat networks or more often, poorly firewalled (no real policies), rule the day.
While there are several methods to segment networks, the ones we employ at L4 Networks employ both VLAN tagging via smart switches and VLAN aware firewalls that allow us to use a separate DHCP server for each VLAN. Equally as import, in consultation with our customer, we develop and apply strict firewall policy rules for each VLAN based on the business need of the customer.
But is network segmentation enough? The short answer is no, but it is a necessary foundational step upon which more security layers can be built. I will discuss these in a future article.