Limiting interactions among hosts on your network can keep malware from running rampant Twice in recent weeks, I’ve been onsite at a company where a sizable division of the organization has been hit by a fast-roving computer worm. All that prevented the worm from quickly spreading across the enterprise was the company’s isolated security zones. These scenarios served only to strengthen my belief that establishing isolated security zones is among the few strategies that reap a return on the investment of planning, resources, and money.In one of the instances, a foreign subsidiary of the company I was visiting had been infected with the Conficker worm. Nearly every computer at the particular location was compromised. Outside the location, however, only eight additional machines were infected.[ InfoWorld’s Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]At the other company, I discovered that vast majority of the network traffic was malicious. If you’re looking for malware to experiment with, this place was your dream. Still, even within the same VLAN segment, no one was infected. Even though the company had hundreds of bug-spewing workstations, none of them could talk to anyone else or even each other. While the network was the dirtiest I’ve ever come across, 99 percent of its production systems remained unaffected. Isolating security zones (known as Server and Domain Isolation at Microsoft) isn’t a new concept by any measurement. Firewalls and the traditional three-legged domains (Internet, DMZ, and intranet) have been around at least since the 1970s, and I bet some readers could remember earlier instances.Although not yet completely abandoned, the traditional firewall segmentation concept is quickly becoming an old way of thinking about network security. Most of these traditional boundaries have so many ingress exceptions — VPNs, wireless networks, trusted partners, home users, open management ports — that it’s hard to say which is the rule: the firewall ACL or the exceptions. More and more, companies are beginning to think of their networks as permeable. They assume their bastion network boundary is compromised and that the intruder is already inside — because it’s often true. But this doesn’t mean that you should give up on the idea of security boundaries. Quite the opposite — you should take the staid model of an N-legged firewall and extend it to your workstations.In a nutshell, most workstations don’t need to talk to most other workstations. Most servers don’t need to talk to most other servers (although there are plenty of legitimate connections made server to server). Most workstations in your enterprise don’t need to talk to every server in your enterprise, and vice versa — so don’t let them.Figure out which hosts in your network and enterprise should talk to each other, and forbid the rest by default. If you can accomplish this type of security zone isolation, you can provide an incredible amount of bang-for-the-buck protection.There are many ways to accomplish this, but each of them starts out by determining acceptable use policy and defaults, then mapping what should be allowed. You must create a reliable, fast way for people to request additional legitimate access when they need to expand past the current segmentation. Then use the different technologies available to you to separate security zones. As a general rule of thumb, I try to use the dumbest (and, therefore, often the fastest) technologies and devices first. For example, a packet router’s ACL is normally far more efficient and faster at blocking and allowing traffic than a firewall — which often has a lot more rules and is often involved in session-oriented, application-layer inspection.Here are the devices and technologies I normally work with, in order of preference:Router VLANs IPSec Firewall NAC/NAP Application proxy Application authentication Air gapYou can probably think of others that I missed, but you get the idea. Security zone isolation is a lot of work, at least initially, but it can easily stop one bad end-user or a weak branch office from compromising the whole network.This story, “Isolated security zones yield stronger network protection,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe