Organizations with small environments that lack justification for advanced network segmentation SHALL implement a Three Dumb Routers architecture to segregate high-risk devices from internal resources.

Control Type: Technical

Control Function: Preventive

Description: Implementing VLAN segmentation can be difficult for smaller businesses with limited budgets for IT and cybersecurity matters. Managed switches and enterprise-grade routers cost a pretty penny, and it can be impossible to justify the cost to senior management if the business network only comprises ten or so devices. This is a difficult situation, as network segmentation is still necessary for the network, but at the same time, VLANs seem overkill for the network in question.

By far the most prevalent network security risk in small business environments is the use of Internet of Things (IoT) devices. Even if a small business has just five computers, a file server, and a few printers, they are bound to employ a handful of IoT devices to assist with various tasks around the workplace. IP security cameras, smart thermostats, and smart light switches can be found in many small business facilities. As IoT capabilities expand and become more accessible, their use in businesses of all sizes will continue to grow. The issue with IoT is that it is inherently very insecure. Lack of comprehensive patches, use of insecure ports/services, and poorly secured web interfaces are issues that still plague the IoT sphere. Many in the cybersecurity community joke that the "S" in IoT stands for Security.

Three Dumb Routers is a network segmentation strategy geared towards addressing the use of IoT devices in smaller home/office networks. The three dumb router strategy can be easily implemented with just three consumer-grade routers. One router connects directly to the ISP line, usually via a modem. This is the border router. One interface on the router connects to a second router, called the IoT router. Every IoT device on the network will connect to this router specifically, confining the devices to a dedicated network segment. Another interface on the border router connects to a third router, the internal router. Company workstations, mobile devices, printers, file shares, and servers will be connected to the internal router, placing them in their own dedicated network segment. What this architecture does is isolate the risky IoT devices from important business assets. Smaller businesses that lack the justification for macro and micro segmentation strategies should use a three dumb routers approach as a more accessible method to segment their network.