Network Enclaves – Enhanced Internal Network Segmentation

August 13, 2009

As the size of a Community Financial Institution grows, so will their network environment. And with larger networking environments come a greater number of risks associated with protecting sensitive Organization and customer/member information. Many IT Managers focus on protecting their internal networks from the outside. If you followed one of our Network Security Consultants for a week you would see that many efforts are not in vain. However, it is proven that a large percentage of attacks originate from the inside. In a larger sized organization where resources allow for greater segmentation, we recommend the use of a Network Enclave (sometimes referred to as a Security Enclave).

A Network Enclave is a segment of an internal network that is defined by common security policies. It is necessary when the confidentiality, integrity, or availability of a set of resources differs from those of the general computational environment. Much like a DMZ network, it is not publicly accessible. The major difference is that internal accessibility is restricted through the use of firewalls, VPN’s, VLANS, and Network Access Control. The purpose of a Network Enclave is to restrict internal access to critical computing devices even further. Other names that refer to the same idea are “internal network segregation” “asset-centric security”.

The firewall that separates the Network Enclave from the rest of the internal network incorporates a “White List” approach; all traffic is denied by default and only known/authorized traffic is allowed in. This requires that only specific traffic, on specific ports, to specific systems, is allowed, making it inaccessible to the underprivileged network user with malicious intentions. Within the Network Enclave a “Black List” approach is used; all traffic is allowed by default and only specific traffic is denied.

Segmenting your network through Network Enclaves establishes a defense in depth strategy by enforcing a principle of compartmentalization and least privilege at the network service level. The impact of a security breach can be lessened and the amount of access gained restricted.

A downside to implementing a Network Enclaved environment is the added implementation and maintenance costs; access lists must remain current, traffic must be monitored, etc. However, when comparing costs for a data breach versus securing information, we feel it may be wiser, more cost-beneficial, and less embarrassing to consider implementing additional internal controls, especially when resources allow it.

By segmenting critical data from the rest of the internal network, an organization will expend resources and allow for greater security to be applied where it is needed rather than throughout the entire organization. A few examples of when a financial institution may want to segment their network using a Network Enclave are if the institution hosts their own online banking, core banking, or business partner networks. The Network Enclave can incorporate all population sizes for any organization. Its main goal – spend money on and protect resources that matter.

On a side note, many businesses with PCI DSS compliance requirements did not develop their IT infrastructure with security in mind. Because of this they often fail the PCI assessment because they have very flat (non-partitioned) networks in which card databases are not segmented from the rest of the network. The lack of a secure Network Enclave is a serious issue regardless of PCI implications, and can be very difficult to remediate.

We have not yet found this to be an area of concern for examiners. However, if you have not yet considered segmentation as a part of your overall defense-in-depth strategy, we recommend that you do so.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: