Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Types of Network Segmentation (Cont’d) Network Virtualization 0O Network virtualization is a process of combining all the available network resources and enabling security professionals to share these resources amongst the network users using a single administrative unit Sales Department Virtual Network Marketing Department Virtual Network Virtualization Layer Physical Layer % X O " & o Network virtualization enables each user to access available network resources such as files, folders, computers, printers, hard drives, etc. from their system Copyright © by EC-{ IciL All Rights Reserved. Reproduction is Strictly Prohibited. Types of Network Segmentation Network segmentation can be implemented in three ways, namely, physical segmentation, logical segmentation, and virtualization, wherein the network is isolated physically, isolated logically (through virtual local area networks or VLANS), and entirely virtualized, respectively. * Physical Segmentation: Physical segmentation is a process of splitting a larger network into smaller physical components. These segments can communicate via intermediary devices such as switches, hubs, or routers. Physical segmentation is generally used for isolating two or more devices from each other. For instance, all web servers are separated and placed in one segment, with database servers and File Transfer Protocol (FTP) servers in two other segments; these segments communicate only through their individual switches. Physical network segmentation can be an easy approach to divide a network, but it is expensive as it occupies more space and creates unwanted issues such as traffic conflicts. It is also known to be a secure mechanism but is difficult to implement as each segment in the network should have individual network connections, physical cabling, and firewall implementations. Module 07 Page 734 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Segment 3 MvaaWEiN T - Shared hub Device2 Devicel | Device3 Segment 2 Souber Shared hub 'l-.:'... l..'....ll!llllllllll|. Devicel : Internet Services ! Device 2 Device3 Segment 1 » Q ! Shared hub :-..'. l|lllllll!........... !IIIIIIII.IO CEE Device 2 sssus Devicel ! HEHHH Device3 Figure 7.29: Physical segmentation of network = Logical Segmentation: To overcome the problems associated with physical segmentation, organizations choose the logical segmentation of their network. Logical segmentation utilizes VLANs, which are isolated logically without considering the physical locations of devices. Each VLAN is considered an independent logical unit, and the devices within a VLAN communicate as though they are in their own isolated network. This type of segmentation is easier to implement and flexible to operate. In this approach, firewalls are shared, and switches handle the VLAN infrastructure. Logical segmentation does not need new hardware, and the provided environment is managed with the existing hardware resources. This type of segmentation employs the built-in concepts incorporated within the network infrastructure such as the creation of independent VLANSs that share a physical routing device (switch), segregation of various asset types into different layer-3 subnets, and use of a router to allow data exchange between subnets. The following are the key advantages of logical segmentation: o It enables the creation of virtual workgroups irrespective of users’ locations. o It effectively controls the network broadcast. o Itimproves security by defining which network nodes can interact with each other. o It eliminates the physical boundaries between users. Module 07 Page 735 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 VLAN 1 VLAN 2 VLAN 3 VLAN Switch 1 _. T -.--lll ’ Devicel aaaan ' LE R BN l Devicel Devicel Device2 Device 2 Device3 Device3 VLAN 1_ Switch 2 Device2 VLAN Switch 3 Services Device3 Figure 7.30: Logical segmentation of network = Network available Virtualization: Network Virtualization (NV) is a process of combining all network resources and enabling security professionals to share these resources amongst the network users using a single administrative unit. It abstracts network resources traditionally allocated as actual hardware to software. NV can combine multiple physical networks into one virtual, software-based network, or divide one physical network into separate, independent virtual networks. NV provides systems and users with efficient, controlled, and secured sharing of network resources (files, folders, computers, printers, hard drives, etc.). NV splits the available bandwidth into independent channels, which can be assigned or reassigned to a particular server or device in real-time. For example, a virtual LAN (VLAN) can unite network devices into one unit irrespective of their physical location, thereby enabling the creation of a subsection of the local area network (LAN). The following are the key advantages of network virtualization: o It enables efficient, flexible, and scalable usage of the network. o It logically segregates the underlay administrative domain with the overlay domain. o It accommodates the dynamic nature of server virtualization. o It provides security and isolation of traffic and network details from one user to another. Module 07 Page 736 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Sales Department Virtual Network Marketing Department Virtual Network Virtualization Layer Physical Layer E" Figure 7.31: lllustration of network virtualization Module 07 Page 737 Certified Cybersecurity Technician Copyright © by ECG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.