Why Segmentation?
Security, Security, Security!!!! Some say, “It is not if, but when” you will experience devices infected with malware such as ransomware or BIT mining. Opening a file in an email or a link on the web that the Next Generation Firewall (NGFW) or Antivirus (AV) has not detected could infect your machine and attempt to move laterally within your network, looking for valuable data and high-profile servers to attack. This means it can encrypt all your files for ransom or steal intellectual property.
The best way to lock this down is to dynamically segment your network and utilize your internal segmentation firewall policies to allow only what is required between segments and servers. It is important to have the ability to dynamically shut down switch ports or filter Command and Control (C&C) streams on infected machines while alerting the Security Operations Center (SOC) when something abnormal occurs.
There are also additional, pertinent security tools to consider for a full layered solution. Email security, NGFW, AV, User and Entity Behavior Analytics (UEBA), Security Information and Event Management (SEIM), and Network Access Control (NAC) are just a few.
Legacy Segmentation
In the past, segmentation was used to manage broadcast domains such as Virtual LANs (VLAN), or to manage QOS for VoIP, and used VLAN Access Control List/ Access Control List (VACL/ ACL’s) to restrict traffic to and from segments in your network. This legacy design required all manual configurations and was difficult to manage and modify. LAN segments were still implemented with multiple devices, such as PC’s, printers, IoT devices, etc. in one VLAN to keep broadcast traffic at a manageable level. Using dedicated VLAN’s for voice and video keeps other broadcast traffic away and allows for the ability to apply or trust a QOS tag or DSCP value.
Today’s Segmentation
Today’s world has changed. Segmentation is used more for network security rather than to isolate broadcast domains. Adding to the segmentation is the concept of not allowing anyone or anything on your network unless it has been authenticated in some fashion, known as a zero trust model. With the explosion of IoT and BYOD devices, security has become increasingly important. IoT devices are typically headless and not necessarily built with security in mind. Some IoT devices use old unpatched operating systems that need a different security profile applied to them, compared to enterprise managed computers that can run updated antivirus and are continuously patched. BYOD (bring your own device) might not have the latest antivirus or patches for the operating system. Therefore, it is appropriate to either not allow them on your network, or possibly assign them to a segment that is isolated. Examples are only permitting access to the internet or a quarantine VLAN where updates can be applied before allowing network access.
First you need to know what device is connecting – is it a PC, MAC, iPhone, IoT video camera, door lock, medical device (such as an MRI), infusion pump, etc.? It is unlikely every device is known, so a device profiling technique needs to be engaged. Things like DHCP finger printing, Nmap, and cloud sourcing are some ways to help identify unknown devices on your network. These are typically a part of a Network Access Control (NAC) solution. After pinpointing the device, you can then assign a segment with the appropriate security policy, enabling specific behaviors on the network.
Knowing if these devices have the correct updates and antivirus requires the ability to do a posture assessment on every PC, MAC, iPad, etc. endpoint. It is better to know the latest AV updates are running or the latest VPN software is loaded, and the latest OS patches are installed. Remediation can be available to fix any items that need updating if desired.
Let’s look at a few manufacturers’ options:
Cisco SD-Access
Cisco Software-Defined Access (SDA) is the latest campus segmentation – securing and automating everything attached to the LAN, WAN, and WLAN. Cisco requires its latest switching and wireless products as the base of this technology, i.e. the Catalyst 9000 series switches and wireless controllers. Along with the network equipment, you will need Identity Services Engine (ISE-NAC), DNA Center (Management), and Firepower Firewalls. SD-Access uses the concept of tagging packets (scalable group tags) which are typically derived from AD or LDAP groups and applying policy to it. Essentially the concept of VLAN’s is gone and this software defined network is the new fabric.
To learn more, visit: https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/index.html
HPE/Aruba Per User Tunneled Node for Dynamic Segmentation
Aruba leverages their existing security access products, including the wireless controller and ClearPass (NAC), for secure access. Using the same concept with their wireless solution, each user is tunneled back to a centralized controller where policy can be applied and ClearPass is used for 802.1x authentication. This solution makes sense when you have an existing Aruba switch and wireless network already.
To learn more, visit: https://www.arubanetworks.com/assets/so/SO_Dynamic-Segmentation.pdf
Extreme Networks Fabric with Policy
Extreme Networks uses a more open strategy with a couple of unique ingredients. Extreme Networks core infrastructure is based on industry standard Shortest Path Bridging (SPB) which is a highly secure segmentation capability with over 16 million VLAN’s available natively. In conjunction with the Core Fabric SPB, the edge switches have policy available on every port, allowing for “firewall-like” security at the edge. This includes blocking, rate limiting, etc. Policy and VLAN’s can be applied dynamically via their network management and NAC platform, known as Extreme Management Center (XMC). Another unique feature to secure critical IoT types of devices that can’t be secured or patched is the Defender Adapter.
To learn more, visit: https://www.extremenetworks.com/solution/security/
These are just a few ways that network vendors are enabling segmentation with their products. Keep in mind, there are many ways to segment and secure your wired and wireless network that may be less or more automated depending on your requirements and budget.
For more information, connect with your Nth Account Manager or call 800.548.1883.