ISO 27001 Network Segmentation Overview

Under ISO 27001 Network Segmentation, otherwise known as network segregation, consists of splitting the network into sub networks (or subnets) for security, performance or usability purposes. From a security perspective, this ensures that services and data can be protected commensurate to their sensitivity or value to the business, and also ensures that attackers cannot access everything should a breach occur. Additionally, it also provides effective defense in depth in terms of providing additional obstacles for attackers to overcome in order to access certain types of data.

To understand this better, let’s take an example of a flat network. A flat network is a network that is not split into different subnets, that is a network where all servers are accessible by everyone on the network. The network may have been designed in this way historically to allow all users to access all services to minimize business disruption and to reduce costs in terms of additional switches, firewalls and routers. In reality, this means that any user, whether authorised or not, can now access all information on the network and that a single compromised account can have major impacts. Think of it as everyone sitting on the same broadcast domain, everyone can receive any messages, access any information or services – it’s all open.So how does network segmentation work? How is it achievable? And what will the impacts be on the business?

Network segmentation as the name suggests refers to cutting the network into segments, or security zones. The most common security zone people are aware of is the De-Militarized Zone (DMZ), that is often associated with public services e.g. web servers. DMZ’s are commonly implemented on the public (Internet) facing edge of an organisations network and contain servers that are accessible from outside users, isolating these from the internal network. The benefit of this is that this group of servers can be maintained outside the core internal network, reducing the risk to more sensitive servers inside the network. This is achieved by locating this group of servers between a group of two firewalls, one facing the internal network and another facing the external, public Internet (two interfaces of the same firewall can be used in some instances). The externally facing firewall should be configured to only allow through authorized protocols e.g. HTTPS to specific servers, with the internal firewall more tightly configured. The principle being that malicious attackers may be able to compromise servers residing in the DMZ, but sensitive data residing on the back end database is located in the internal network remaining secure i.e. the application server resides in the DMZ, and communicates with the DB within the corporate LAN only once authorized and approved.


As this diagram shows, the DMZ is located between two firewalls that restrict permitted protocols. The DMZ contains the Internet facing application server, and communicates to the back end database contained in the secure zone on the internal network.

The above provides an example of how network firewalls are used to restrict traffic to and from a lower security domain contained in a DMZ. Network segregation can also be achieved through the use of Virtual Local Area Networks (VLANs) configured on switches. Using VLANs allows the organisation to identify services and restrict access based on groups of authorized individuals. An example may be segregating business functions into separate VLANs e.g. HR – who are then only able to access specific resources. Separate VLANs can be configured on the switch, and ensuring the switch and VLAN is configured appropriately, users can only access resources on the VLAN they reside on. By ensuring that groups of servers containing highly sensitive data are only accessible by a set number of VLANs, organisations are able to reduce the impact that a compromise may have.

Under ISO 27001 Network Segmentation controls describe establishing security domains based on accesses e.g. public, desktop, server etc. along with organisational units. ISO 27001 suggests this can either be logical or physical i.e. entirely separate physical domains. Due to cost implications, organisations often opt to implement a logically segmented network whereby VLANs and firewalls with access control lists are used to restrict access. For example, multiple VLANs may exist with different services that are ranked in accordance with their sensitivity e.g. card holder data, personal data etc. Accesses across VLANs can be permitted but must pass through a firewall that restricts the protocols that are permitted.

Under ISO 27001 Network Segmentation also considers wireless networks, and ensuring their segregation with the core internal network. This means ensuring that guest wireless networks cannot be used to jump to the core network and access all types of information. Usually, organisations ensure these are physically separate – but this should be ensured and tested to confirm there are no routes that would allow an attacker to connect to the public, open wireless network and access sensitive data on the core.

Achieving effective network segmentation can support a myriad of compliance requirements, and is mandated for PCI-DSS. With the upcoming introduction of GDPR, organisations processing sensitive personal information should be looking to separate servers containing this data and ensuring that personal data is not at risk.

Filed in: A.13.1 Network Security Management Tags: , , ,

Get Updates

Recent Posts

Leave a Reply

Submit Comment

© 4819 ISO27001 Guide. All rights reserved.