Network Segmentation can be Complex, but the Basics are Simple. So what’s the best way to Implement Network Segmentation?
Cloud computing, the consumerization of IT, mobilization, and the explosion of applications are driving us all to use technology in new ways. These trends and innovations make business more competitive, increase productivity and create new global market opportunities. They’ve also dramatically changed the modern enterprise network, pushing the boundaries with regard to throughput and speed. But while network infrastructure continues to evolve to meet the demands of these new requirements, security infrastructure to deliver safe and controlled services has not evolved at the same rate.
Security teams are consistently forced to make trade-offs between what they can and cannot achieve when it comes to monitoring and control over new network services. With little to no visibility and input into new services being delivered, network security becomes, by default, an afterthought. If security continues to be relegated to the position of a bolt-on technology to networking this negative trend will only continue. Network segmentation can provide security teams with the foundation required to protect dynamically changing network infrastructure and services.
Network segmentation can be complex, but the basics are straightforward. Simply put, it is the process of logically grouping network assets, resources, and applications together into compartmentalized areas that have no trust of each other.
When looking to introduce network segmentation there are some key requirements to take into consideration:
• Gain visibility of traffic, users and assets
• Protect communications and resources on both inbound and outbound requests
• Implement granular controls on traffic, users and assets
• Set a default deny policy on all inter-segment connections
So what is the best way to implement network segmentation to more securely deliver new services?
Any approach of network segmentation should follow the following four steps and focus on only a single segment at a time. Begin with areas that are simpler to segment away from the wider network, such as development or test areas. Pick the lowest hanging fruit first and learn lessons on the way to the more complex areas.
Step 1) Gain Visibility
If you don’t understand the traffic profile for a proposed segment with regard to inbound and outbound communications, then any access controls you implement will fail. You must understand how the network you want to segment is actually used. Expect to find a disconnect between what you may believe is occurring and what, in fact, is occurring.
Step 2) Protect Communications and Resources on Both Inbound and Outbound Requests
Security is your primary goal. If you have no ability to exert protection of resources within a segment your goal will not be met. Simple access controls between segments is not enough, you need the ability to rapidly remediate any detected threat.
Step 3) Implement Granular Controls on Traffic, Users and Assets
All data entering and leaving a segment should be controlled. You have already implemented protection (in the previous step), so you know that any communication that enters or leaves the segment has had a level of security protection applied to it. Now you can implement your organization’s communication policy with granular access controls. Even though you should have a good level of understanding of the communications that take place with the segment from the outside (achieved in step 1), these controls should be implemented in a two-step process: detective controls, followed by preventative controls. By beginning with a default-allow control you can establish a baseline for identifying and investigating unexpected traffic.
Step 4) Set a Default Deny on all Inter-Segment Communications
Now that you’ve achieved visibility, communications are protected, and you’ve implemented an access policy in a default-allow state, it’s time for the last step. Move to a default-deny security posture for all inter-segment traffic. Only when a default-deny policy is in place is the segment successfully separated from the rest of the network and able to operate as its own logical unit.
Implementing the first few segments in a large network will be a daunting task, but the long-term reward of limiting the scope of a compromise by compartmentalizing each segment and putting controls in place is well worth it.
Technology innovations that drive business value will continue to push network scope, scale and performance. We need to be prepared with an approach to security that gives us the visibility, understanding and control to protect our modern, dynamic networks.
