Domain 2 · 2.5 Mitigation Techniques

2.5.1 Segmentation & Isolation

11 min

Segmentation and isolation are architectural security strategies designed to partition network resources and system processes to contain threats and limit lateral movement.

Network Segmentation Dividing a large network into smaller, distinct subnets limits the "blast radius" of a malware infection or an unauthorized intrusion. - VLANs (Virtual Local Area Networks): Logically separate devices on the same physical switch to restrict broadcast domains and control traffic flow via routers or firewalls. - Air Gapping: The most extreme form of isolation where a system is physically disconnected from all other networks, including the internet. This is common in high-security environments like industrial control systems (ICS). - DMZ (Demilitarized Zone): A subnetwork that buffers the internal private network from the untrusted public internet, typically housing web, mail, and DNS servers. - Screened Subnet: A modern term for a DMZ, utilizing multiple firewalls to ensure that even if a public-facing server is compromised, the attacker cannot pivot into the core database.

Isolation Techniques Isolation focuses on separating specific processes or environments to prevent a single point of failure from compromising the entire host. - Sandboxing: Executing untrusted code or suspicious files in a restricted, virtual environment to observe behavior without risking the host OS. - Microsegmentation: Applying granular security policies at the individual workload or virtual machine level, often used in cloud environments to prevent lateral movement between servers. - Containerization: Using technologies like Docker to isolate applications from the underlying operating system and from each other, ensuring that a vulnerability in one container does not grant access to the host kernel. - Jump Servers: Providing a secure, monitored gateway for administrators to manage devices in a high-security zone (like a DMZ or internal server farm) without direct access from their local workstations.

Enhancing Resilience through Design Segmentation supports cybersecurity resilience by ensuring that if a component fails or is compromised, the rest of the architecture remains functional. - Non-persistence: Using virtual desktop infrastructure (VDI) or snapshots to revert systems to a "known-good" state after a session, effectively wiping any malware or unauthorized changes. - Redundancy: Implementing load balancers and clusters across different segments to maintain availability if one segment goes offline. - Diversity: Utilizing different vendors or hardware types across segments (defense in depth) to ensure a single exploit doesn't affect the entire network.

Quick recall - Lateral Movement: The primary action prevented by segmentation and isolation. - East-West Traffic: Traffic moving between servers in the same data center; controlled via microsegmentation. - North-South Traffic: Traffic entering or leaving the network; controlled via perimeter firewalls/DMZs. - Honeypots: Isolated decoy systems used to lure and study attackers. - Logical vs. Physical: VLANs provide logical isolation; air gaps provide physical isolation.