This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.
Graphic diagrams are available in the Release page
The schema sources are located in the repository
Elements used in network diagrams:
Crossing the border of the rectangle means crossing the firewall.
Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.
The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.
In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.
Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements
More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:
- mail relays;
- time servers;
- other services, if available.
Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools.
In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment.
It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.
As a result, this leads to the following problems:
- increasing the cost of ownership and the cost of final services to customers;
- high complexity of maintenance.
The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees.
Implementing security services such us:
- security operation center (SIEM, IRP, SOAR, SGRC);
- data leak prevention;
- phishing protection;
- sandbox;
- intrusion prevention system;
- vulnerability scanner;
- endpoint and ATP protection;
- web application firewall;
- backup server.
High costs of information security tools and information security specialists.
Each production and corporate services has its own networks: Tier I, Tier II, Tier III.
The production environment is accessed from isolated computers. This type of segmentation is called an air gap, this is close to protecting state secrets. Each isolated computer does not have:
- incoming accesses from anywhere except from remote corporate laptops via VPN;
- outgoing access to the corporate network:
- no access to the mail service - the threat of spear phishing is not possible;
- there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.
🔥Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.
Implement other possible security services, such as:
- privileged access management;
- internal phishing training server;
- compliance server (configuration assessment).
Implementing security services such us:
- privileged access management;
- internal phishing training server;
- compliance server (configuration assessment);
- strong protection of your production environment from spear phishing.
🔥Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:
- separate workstations for access to the production network - yes, now you will have 2 computers on your desktop;
- other LDAP catalog or Domain controller for production network;
- firewall analyzer, network equipment analyzer;
- netflow analyzer.
Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀
Please subscribe - this is free support for the project
- Submit your pull request;
- Create issue;
- Start discussion.