IT Baseline Protection Manual T 3.29 Lack of, or unsuitable segmentation
T 3.29 Lack of, or unsuitable segmentation
Local networks can be segmented physically by active network components, or logically by means of an appropriate VLAN configuration. In this case the connected IT systems of a network are distributed among various segments. This not only improves the load sharing within the network, but also facilitates the administration.
However, the following specific threats can arise here:
Loss of availability
The higher the number of IT systems within a layer-2 segment, the greater the network load in this segment. This can severely impair the availability of the network segment or even cause an overload situation or a breakdown. In the case of CSMA/CD-based network access protocols (e.g. Ethernet) this also results in more frequent collisions which reduce the available bandwidth. Inadequate segmentation can also take place, if systems are separated by active network components based on layer 2 or 3, causing high network traffic by communicating with each other.
Insufficient protection of confidentiality
To ensure that confidential data is protected, the number of users granted access to it should be restricted to a minimum. Consequently, the size of broadcast-domains should be kept as small as possible. However, if the specific segments have been configured inadequately, unauthorised users might also be able to view and examine confidential data during transmission.
Examples:
Two IT systems which exchange high amounts of data are separated by a router. This might result in unsuitable segmentation, as data needs to be transmitted via the router, which is relatively slow.
Two IT systems exchanging passwords and other sensitive information frequently are separated by a bridge. This means that the network traffic could be monitored in both segments. Limitation of the network traffic between the two IT systems to one segment would protect the confidentiality of the data to a greater extent