The Problem with Flat Networks

I assume you have heard the story that a casino was hacked via its fish tank or Target’s attack via its HVAC system. If not follow the links.

What is common with these and so many others is that the attacks could have been prevented or stymied by proper network segmentation. I am amazed to see how many business networks are essentially flat networks or poorly segmented without firewall rules preventing inter-segment access. For home/soho networks, the story is even grimmer. These are normally all setup as flat networks. Even before the advent of IoT devices, segmentation was and continues to be a must. Now with more and more IoT devices coming on line, the situation is dire.

What is a flat network?

A flat network is a computer network design approach that aims to reduce cost, maintenance and administration. Flat networks are designed to reduce the number of routers and switches on a computer network by connecting the devices to a single LAN segment instead of separate LAN segments. Another way to look at this is that unlike a hierarchical network design, the topology of a flat network is one that is not segmented nor separated into different broadcast areas by using firewall/routers. Instead, all devices on the flat network are a part of the same broadcast area.

Even when we see hierarchical segmented networks that are indeed connected to a router/firewall, we nevertheless see a lack of solid policy and firewall rules that govern/control what traffic can connect to other LAN or DMZ segments. The lack of such rules is tantamount to not having  segmentation at all – as traffic has unencumbered access to other segments.

For the home/SOHO user, I sort of get why segmentation is ignored.  It can be complex and the average ISP wants to keep things as simple as possible. But the price paid for simplicity is vulnerability. While the environment for the SOHO small business user approximate that of the home user, for larger businesses, all I can say is “come’on, let’s start taking your security seriously. ”

Flat Networks and Vulnerabilities

Imagine this for the typical SOHO environment: Wireless, SmartTV Box(s), Perimeter Alarm System, family LAN, SOHO LAN, Lighting IoT, Cameras, etc. In some respects, the SOHO environment is more complex than the small business environment. One really does not want any of these devices talking to each other. But in a flat network, that is what happens! If there is a successful hack of let’s say the Lighting IoT or SmartTVs, then the hacker will have access to the juicy data on the other connected devices like business computers or family computers with Tax records! And then there is privacy. It is well known that likes of Facebook, Google, Roku, Apple TV, Netflix want your data! Do you really want to give these companies unfettered access to your entire network and all devices? I think not.

The typical business environment has similar challenges. These include building automation systems, perimeter security systems (card access etc.), internal servers, cloud and vendor servers. Multiple departments need to have access controlled to other departments’ data & segments (think Human Resources payroll information).  Third party partner access, remote employee access, mobile devices, etc. all need to be controlled to prevent and contain their access. Despite this – we often find several flat networks (partial or otherwise) or more often than not, poorly firewalled (no real policies) network segments.

While there are several methods to segment networks, the ones we employ for L4 Networks’ customers, employ both VLAN tagging via smart switches and VLAN aware firewalls/routers. Equally as important, in consultation with our customer, we develop and apply strict firewall policy rules for each VLAN/segment based on the business need of the customer.

But is network segmentation enough? The short answer is no, but it is a necessary foundational step upon which more security layers can be built. I will delve into what further needs to be done in a future article.