Every company has employees who handle large volumes of external e-mail. HR officers, PR managers, and salespeople are a few common examples. In addition to their regular mail, they receive a lot of spam, phishing messages, and malicious attachments. Moreover, the nature of their work requires them to open unverified attachments and click links in unfamiliar e-mails. Information security professionals typically isolate such departments from critically important nodes in the corporate network. But in companies with no dedicated IT security, they pose a major risk to all staff.
One of the most effective ways to safeguard company units that work with critical information against the risk of infection is to segment the corporate network into several autonomous subnets.
Ideally, all potentially dangerous departments should be physically isolated. To do this, you need to install several routers and use them to split the corporate network into separate subnets. However, this solution has a few major drawbacks. First, additional equipment means extra costs; and second, modifying an existing network infrastructure is always a pain for system administrators.
A simpler alternative is to use a virtual LAN (VLAN) to set up several logical networks on the basis of one physical network, without replacing any hardware. They are configured programmatically, which means that even the cabling can stay in place.
Most commonly, VLAN technology is used to combine computers connected to different physical routers (for example, machines located in different offices) into a single subnet. That move also brings security advantages, not only preventing unauthorized access from one subnet to the devices in the others but also simplifying security policy management, letting administrators apply policies to an entire subnet at once.
To get the most out of your VLAN, you need professional-grade network equipment. That said, the technology is now supported by some home routers too, such as Keenetic.
Not a silver bullet
A VLAN is no panacea. It helps minimize the chances of infection spreading to critical nodes, but it does not provide special protection for the departments inside the “risk zone.” So to be on the safe side, it’s never a bad idea to:
- Teach appropriate skills to employees in information security, and provide frequent reminders to be wary of suspicious e-mails.
- Regularly update software on workstations, networks, and other devices so that cybercriminals cannot penetrate your infrastructure through known vulnerabilities.
- Use reliable security solutions for workstations and servers able to detect and neutralize malicious programs and resources.