Project 6: Network Enclaving

Enclaving, or network segmentation, is the process of making new network segments based on system role, trust relationships, and the types of data processed.

These new segments are isolated on the internal network by firewalls and are not accessible from the Internet. We then configure access using deny all, permit by exception.

This ensures that only machines with a valid business need can access the segment.

The same approach should be taken with the physical location of systems. All employees should not have physical access to the area where these network segments reside.

To maximize your return on investment, Role-Based Access Controls (RBAC) should be applied. RBAC is a technical means of controlling data and resources that users can access based on their position in the organization.

The diagram below depicts a simple example of RBAC.

The blue arrows depict the components that users with a human resources role can access. Notice that they only have access to segments that are relevant to their job function.

They don't need access to the test network or production servers so they are denied at the firewall of those segments. The same goes for those in the developer role.

The gray arrows show that this role can access the production servers and test networks, but not the payroll servers.

Enclaving is a very large project and takes considerable time and money. So why do it?

Having a segmented network with properly applied controls will drastically reduce the amount of damage caused by an initial-stage compromise.

It also drastically reduces the risk of insider threat by limiting the amount of data that an insider wit malicious intent could obtain.

Combined, both of these factors go a long way to creating a more easily managed and effective information security program.