In Part 4 of this series, I talked about the importance of host-based firewalls to protect against lateral movement between host co-located on the same network. Though that was a great improvement, there are still some critical design issues with our network architecture:
There is only one internal subnet (green network) where all devices live. Servers, workstations, printers, smart phones…everything is connected to the same network. Our network is completely “flat” making it more difficult to manage and secure.
Segmentation is the process of breaking down a network into smaller zones or subnets. This approach provides many benefits including:
- Greater management and troubleshooting capabilities for network related issues.
- Better performance by reducing the amount of local traffic.
- Improved security by providing more visibility into traffic flowing across subnets and allowing architects to apply different security controls based on the devices connected to each zone.
Today, we are going to segment our network by creating a Demilitarized Zone (DMZ) that will contain all devices that should be accessible from the internet, such as our web server. This will allow us to separate devices that are more likely to get compromised from the rest of the network.