Learning
Look above at that perfectly segmented and appointed little lunch tray. Do you have any doubt that the tater tots are protected from accidental mingling with the nuggets? Would a leaking milk container ruin the entire meal? No. That's the importance of segmentation and its a strategy you can use in your networks to protect against ransomware and other malicious actors.
Segmentation prevents lateral movement of network traffic. If you are still running a flat network with single VLANs designed around physical barriers or geographic markers, then now is the time to adjust your thinking and segment your network traffic.
Imagine, if you will, a safer and more efficient local network that springs up solely from you keeping your milk and tater tots in separate compartments. Segmentation allows the network administrator to specify different constraints, permissions, filtering, quality of service, and priorities for each segment. It allows a masterful conductor to weave together an environment, however transparent to the user, that is more controlled, auditable, and where traffic from one segment may or may not be allowed on another segment.
How does it work in real life? What if we created a VLAN that was solely for administrative computers in the building? We could set rules that prevent any student-designated device or BYOD from accessing (or knowing the existence of) the administrative machine. If a ransomware attack started from a student device, there is a good chance that the spread of such an attack would be contained to the student segment. It works in the opposite direction too. If an administrator had the infection, it would be contained and instruction could continue in the classrooms.
Your Guest WIFI network may already be utilizing these concepts. Guests are isolated on a network segment with no access other than to the Internet and perhaps a DMZ webserver. Now apply that concept across the school building and think of what you could accomplish.
Here are some suggested segmentation ideas:
- Administrator devices
- Teacher devices (further segment by grade/subject)
- Student devices (further segment by grade/hall)
- IT devices
- Security devices including cameras & panic systems
- HVAC, fire, kitchen, and plant operations
- Experimental (Alexa, IOT, Robots, rouge BYOD)
In the grand scheme of things, most of the devices on your network don't need to see/talk to each other... they only need to access servers, printers, and the Internet. So why allow them to access more than they need? Does a student device need to be able to perform a port scan on your security cameras? Does a teacher need to be able to print to every printer in the building or just the one in their grade level? Do student computers need to access the projectors in other halls or grade levels?
There are more tools and configurations that have to be done to make this kind of network work so seamlessly. However, it is possible. Your floating users can switch VLANs as easily as they switch APs. A student device that moves to another classroom can suddenly see new printers, a new projector, and a shared resource, but loses access to those devices he had in the last class.
Segmentation increases efficiency and logic in the network. It's not the easiest thing to accomplish but the benefits far outweigh the initial struggle. For malicious attacks, you may just stop ransomware in its tracks and only have to recover from a small outbreak instead of a large catastrophe. Most of your school operations can continue while you recover those affected.
If your goal is security, start easy. Segment your servers from your end points and reduce the traffic flow to only those protocols and ports that are required for operations. Segment critical laptops or devices as soon as you can. Each little step you make increases your security posture and makes you more capable of fighting.
|