Segmenting LANs to Minimize Lateral Movement
Unfortunately, many organizations operate with a flat network topology – with all their endpoints connected into a common switch fabric. This topology compromises protection by enabling easy lateral movement or propagation of network attacks within the Local Area Network since the firewall has no visibility or control over the traffic through the switch.
A best practice is to segment the LAN into smaller subnets using zones or VLANs and then connecting these together through the firewall to enable the application of anti-malware and IPS protection between segments that can effectively identify and block threats attempting to move laterally on the network.
Whether you use zones or VLANs depends on your network segmentation strategy and scope, but both offer similar security capabilities by providing the option to apply suitable security and control over traffic movement between segments. Zones are ideal for smaller segmentation strategies or networks with unmanaged switches. VLANs are the preferred method for segmenting internal networks in most cases and offer the ultimate in flexibility and scalability, but require the use (and configuration) of managed Layer 3 switches.
While it’s a best practice to segment your network, there’s no “best” way to segment a network. You can segment your network by user type (internal, contractors, guests), by department (sales, marketing, engineering), by service, device or role type (VoIP, Wi-Fi, IoT, computers, servers) or any combination that makes sense for your network architecture. But generally, you will want to segment less trusted and more vulnerable parts of your network from the rest, and also segment large networks into smaller segments all with the aim of reducing the risk of threat penetration and propagation.