Network Segmentation for Public and Corporate Networks: Control Requirement 5.7.3.6

Protecting corporate IT resources from potential threats is paramount. One of the controls outlined in the CAN/DGSI 104:2021 Rev 1 2024 standard is Control Requirement 5.7.3.6. This requirement mandates that organizations segment their networks to ensure that networks provided to the public or customers are separated (and/or isolated) from the corporate networks. This blog will delve into the importance of network segmentation, the methods to achieve it, and the benefits it brings to organizational security.

Understanding Network Segmentation

Network segmentation involves dividing a computer network into smaller, distinct subnetworks, each with its own security controls. This practice helps to limit the spread of cyber threats and restricts unauthorized access to sensitive information. By isolating public or customer-facing networks from corporate networks, organizations can create a robust security barrier that protects critical assets.

Why Network Segmentation Matters

Enhanced Security: Segmentation reduces the attack surface by limiting the pathways that cyber attackers can exploit. Even if a public network is compromised, the segmentation ensures that the corporate network remains secure.

Improved Performance: By segmenting networks, organizations can optimize network performance. Traffic can be managed more efficiently, reducing congestion and improving the overall user experience.

Regulatory Compliance: Adhering to standards like CAN/DGSI 104:2021 Rev 1 2024 ensures that organizations meet regulatory requirements, avoiding potential fines and legal issues.

Containment of Threats: In the event of a cyber-attack, segmentation helps contain the threat within a specific segment, preventing it from spreading to other parts of the network.

Implementing Network Segmentation

To comply with Control Requirement 5.7.3.6 from CAN/DGSI 104, organizations must take several steps:

Assess Current Network Architecture: Evaluate the existing network infrastructure to identify areas that require segmentation. This includes understanding the flow of data and identifying critical assets that need protection.

Define Segmentation Strategy: Develop a strategy that outlines how the network will be segmented. This may involve creating separate VLANs (Virtual Local Area Networks), using firewalls to enforce segmentation, and implementing access control lists (ACLs) to restrict traffic between segments.

Implement Segmentation Controls: Deploy the necessary hardware and software to enforce segmentation. This includes configuring firewalls, routers, and switches to create and manage segments.

Monitor and Maintain: Regularly monitor network traffic to ensure that segmentation controls are effective. Conduct periodic security audits and update segmentation policies as needed to address emerging threats.

Secure Wi-Fi: Using secure Wi-Fi protocols such as WPA2 or higher is a good practice for protecting your guest network from unauthorized access and cyber threats. WPA2 (Wi-Fi Protected Access 2) employs AES (Advanced Encryption Standard) to provide robust encryption, ensuring that data transmitted over the network remains confidential and secure. For even greater security, WPA3 offers enhanced features like individualized data encryption and stronger protection against brute-force attacks.

By implementing these advanced Wi-Fi security protocols, organizations can safeguard sensitive information, maintain the integrity of their networks, and provide a secure environment for both employees and customers.

Creating Separate Wi-Fi Networks for Public Use

One practical application of network segmentation is creating separate Wi-Fi networks for public or customer use. This ensures that guests can access the internet without compromising the security of the corporate network. Here are some steps to achieve this:

Set Up a Guest Wi-Fi Network: Configure a separate SSID (Service Set Identifier) for the guest network. This network should be isolated from the corporate network to prevent unauthorized access to sensitive resources.

Use VLANs: Implement VLANs to logically separate the guest network from the corporate network. This allows for efficient management of network traffic and enhances security.

Apply Firewall Rules: Configure firewalls to control traffic between the guest and corporate networks. Only allow necessary traffic and block unauthorized access.

Implement Access Controls: Use access control lists (ACLs) to define rules that restrict traffic between the guest and corporate networks. This ensures that only authorized users and devices can access specific segments.

Monitor Network Activity: Regularly monitor the guest network for any suspicious activity. This helps to identify and address potential security threats in real-time.

Examples

To illustrate the importance and effectiveness of network segmentation, consider the following examples:

Retail Industry: A large retail chain implemented network segmentation to separate customer-facing Wi-Fi networks from corporate networks. This ensured that customer data and payment information were protected from potential breaches, while also improving the performance of both networks.

Healthcare Sector: A hospital segmented its network to isolate medical devices and patient records from administrative systems. This helped to protect sensitive patient information and ensured that critical medical devices were not exposed to cyber threats.

Educational Institutions: A university created separate Wi-Fi networks for students and faculty. This segmentation ensured that student activities did not interfere with administrative operations and protected sensitive academic records from unauthorized access.

Hospitality Industry: A hotel implemented network segmentation to provide guests with secure Wi-Fi access while keeping the hotel’s internal management systems isolated. This protected guest information and ensured smooth operation of hotel services.

Conclusion

Network segmentation is a critical component of a robust cybersecurity strategy. By implementing Control Requirement 5.7.3.6 as outlined in the CAN/DGSI 104:2021 Rev 1 2024 standard, organizations can protect their corporate networks from potential threats and ensure the security of sensitive data. Segmentation not only enhances security but also improves network performance and helps organizations meet regulatory requirements. By staying vigilant and continuously improving segmentation practices, organizations can maintain a strong defense against cyberattacks and safeguard their digital assets. Contact us today to get certified!