Apr 23, 2014

Network Segmentation Testing:
An Overview and How To Guide

In today’s Whiteboard Wednesday, Chris Kirsch, Senior Product Marketing Manager, will talk about the importance of network segmentation.

Network segmentation is the act of splitting a computer network into subnetworks, each being a network segment, which increases security and can also boost performance. It is a security best practice that is recommended (but not required) by PCI DSS and it makes the top 20 list of critical security controls suggested by SANS.

Network segmentation will not keep an attacker from breaching your network, however it does limit a breach to one part of your network. Organizations who hold credit card information, financial information, research and development information, and any intellectual property on their network should properly segment off this data from the main network.

Watch this week’s video to learn why and how you can test your network segmentation using tools like Metasploit.

Read Video Transcript

Hello and welcome to this week's whiteboard Wednesday. My name is Chris Kirsch and I'm the product marketing manager for Metasploit here at Rapid7. Today, I want to talk about why you should be doing network segmentation testing.

But before we jump in to that, let's talk about what network segmentation is why it make sense. So network segmentation means chopping up the network in to smaller parts, each segmented by a firewall or some other networking device that keeps one part separate from the other one and controls what information can flow from one part to the other.

So think about a submarine. In a submarine, one of the things you're worried about is that you might have a leak and that as a result of that, the boat will get flooded and you'll drown. Not a good thing. So how can you mitigate that? Well, apart from building a stronger boat, you can build indoors inside the submarine to contain a leak to one compartment. So you can close all of the other doors if you have a leak in one compartment, the rest of the boat will be fine. So same idea with network segmentation, you contain the breach to one part of the network.

So if your web server gets breached and that web segment gets breached, that doesn't affect maybe your credit card data, your research development team, etc, etc. So because it's such a good idea, it's actually recommended by the SANS Top 20 critical security controls especially #13, that talks about network segmentation testing. So if you follow the CSC as part of the internal policy, you probably already have that in place and a lot of companies do. So why should you test the network segmentation? Well, pretty much in a nutshell, Murphy's Law, right. If something goes wrong, it will go wrong.

Let's say, you're putting new brakes on your car. Before, you wouldn't carry on driving your car without testing that the brakes work first. So it's just a common sense practice. So actually, the SANS Top 20 tell you in subsection 10 of #13 to test that the network segmentation is working as designed. Now PCI also has an angle on network segmentation. They don't require you to segment your network but a lot of companies do segment the network to limit the scope of the part of the network that has to be compliant with PCI.

In other words, if you're processing credit card data and you can segment the part off that contains the credit card data and the rest of the network doesn't contain the credit card data, you only have to bring that part under compliance. Now PCI version 3 requirement 11.3.4 is a new requirement that actually introduces the need and the requirement to conduct network segmentation testing to ensure that this is working fine. The reason why they introduce that is because they saw a lot of breaches where companies were compliant that have network segmentation in place but they never actually tested it and it turned out not to be operational or effective, hence the new control.

So how can you test that? Well, there are a couple of different methods. You can, for example, take penetration testing tool like Metasploit to run a manual test. That means you assume that the attacker is either on the internet or in the internal corporate network and you're trying to get to the cardholder data in a different segment so you can test if you can jump from the network that you are in, the segment that you are in into another segment. That's one way. It's very labor intensive. It's probably very good and very in depth.

Another way to do that either as a complimentary thing or to prepare for that or just to do a very quick test much easier way is to take a copy of Metasploit Pro and use a new meta module that we brought out for segmentation and firewall testing. So essentially what you do is you have the firewall here that you want to test. You have Metasploit in one side and you set up a target server on the other side. Then you use this new meta module to effectively run a port scan and there are some ports here open on that firewall and the target server will tell you what gets through.

Now once you have that report, you compare that with what you expect it to be open on the firewall. We can then say, is my network segmentation operational and effective? So if you'd like to try that out, that's in Metasploit Pro version 4.9, the current version. You can download a Metasploit Pro trial. It's free on Metasploit.com and Rapid7.com and that was it for today. I hope to see you next Wednesday.

Free Metasploit Pro Trial

Test your network segmentation today

Download Now
Whiteboard Wednesdays Logo

Subscribe to our weekly
Whiteboard Wednesday videos