Traditionally, the foundation of enterprise network security has been a perimeter firewall behind an organization’s Internet gateway or a pair of firewalls encompassing a demilitarized zone (DMZ) which offer an isolated environment between a completely trusted enterprise network and untrusted external network. However, merely characterizing the entire enterprise network as ‘trusted’ and considering it as ‘flat’ (i.e. as a single segment) creates an environment that requires an antagonist to only make a single network attack to achieve broad-based access across the whole enterprise. A flat network also permits an attacker to move among network devices and applications with minimal impediment and likelihood of exposure.
Traditional flat network architectures have become a danger to organizations confronted by present-day security threats. This has been further exacerbated with the increase in telecommuting and BYOD. Attackers are increasingly using “social engineering” where users are manipulated into revealing confidential information and various other electronic communications scams (“phishing”), to breach the enterprise network.
In light of this, it is critical for organizations to segment enterprise networks and partition confidential information, computing systems and enterprise applications from settings which users use to access untrusted services such as email and web-based applications.
Network Segmentation Implementation Approaches
The common way to implement network segmentation has been to use network devices such as firewalls and switches to limit traffic between network zones. For example, access control lists (ACLs) can be configured on network firewalls to specifically delineate the types of traffic permitted to pass between hosts or users in network zones (as well as to implement whitelists of specific traffic types, hosts, and users that are expressly prohibited).
A virtual Local Area Network (VLAN) is a Layer 2 (L2) technology built into network switches that enables partitioning and isolation within a computer network. Network segmentation using VLANs creates a collection of isolated networks within the enterprise network with each VLAN being a separate broadcast domain. When accurately designed, VLAN-based network segmentation strictly hampers unauthorized access to network resources as users can only access the applications, servers and other network resources needed to perform their daily tasks.
Security Benefits of Network Segmentation
Network segmentation consists of isolating the enterprise network into specific segments created by categorizing common user or device types. As a result, segmentation significantly reduces attack surfaces as network access is limited to those IT resources required by each user or device category to perform their job functions.
Network segmentation limits migration of malware or malevolent sources if or when a PC or server is compromised. With network segmentation, the cyber attacker is confined to a restricted part of the network to diminish the prospects of accessing sensitive information or resources. Network segmentation is a major element in an enterprises’ cybersecurity defense architecture which requires collaboration among IT and business leadership in order to be adopted end-to-end across an organization.
Network segmentation can enable notable improvements in enterprise vulnerability posture as it significantly decreases the risks and impact of network attacks. Specifically, by undertaking the practical step of deploying network segmentation, enterprises can diminish business disruption and gain advantages, such as controlled vulnerability following an attack, reducing productivity loss, remedial costs, and compromise of corporate image from actual loss of financial and personal identification data.
As part of a comprehensive security architecture, network segmentation enables enterprises to not only survive attacks but also curtail or even thwart successful security attacks which, taken together, permit a speedy return to business as usual.
Micro-segmentation Overview and Challenges
While the focus of network segmentation is on policy-based security between network zones, micro-segmentation secures traffic between applications and services in the same network zone. Micro-segmentation is a fine-grained granular approach and is particularly relevant to multi-tenant environments where multiple applications can be running on a single physical server instance.
Service or application-based micro-segmentation is often applied through the configuration of software firewalls and software defined networks such as the overlay networks used by hypervisors and container orchestrators. Similar to network segmentation, micro-segmentation is based on security policies which only permit service-to-service communication where there is a clear-cut intent to allow such traffic.
Micro-segmentation can be utilized in cloud-based environments using containers, virtual machines, microservices, and serverless architectures and, thus, appeals in particular to security-conscious companies that deliver cloud-based services.
While there is a clear understanding of the benefits of micro-segmentation, unfortunately, deployment of this capability is typically fraught with perils. Specifically, without deep visibility into intra-enterprise network traffic, efforts to implement micro-segmentation are marginally successful. IT Managers often run the risk of over segmentation or under segmentation leaving the network flat with too few zones. In over segmentation, at the extreme case you are building a fence around every car and not around the car park, making security more difficult to manage while providing no real value. IT staff trying to address this requirement must rely on manual analysis, traffic collection, and mapping processes. Most of such efforts lack workflow-level visibility and essential contextual data. The capability to map out application workflows at a fine-grained level is necessary to identify logical groupings of applications for micro-segmentation purposes.
Furthermore, manual approaches to gain workflow-level visibility do not effectively limit attack surfaces in dynamic hybrid cloud infrastructures where VM and container-based workloads are communicating and often migrating across micro-segments. Automatic workload scaling is one of the key capabilities of the hybrid cloud landscape. Additionally, built-in intelligence to apply policies to workloads as they dynamically start, and stop is vital. Effective micro-segmentation must strike a balance between application protection and business agility, delivering strong security without disrupting business-critical applications.
Network Segmentation/Micro-Segmentation Using Niagara Networks Packet Brokers
Network Packet Brokers (NPBs) from Niagara Networks provide full visibility into traffic flows within enterprise and cloud data centers for bare metal and VM-based, and containerized workflows. Niagara Networks’ solution enhances segmented networks with complementary monitoring and security, allowing in-line and out-of-band tools such as network firewalls, intrusion detection, and APM systems to be directly connected to the visibility platform and forward the aggregated flows to these tools on a policy-based basis.
Niagara Networks’ NPB systems can use IPFIX or Netflow[SJ1] protocols to export network flow information to security and performance monitoring “flow collector” systems for monitoring of network access policies for compliance and detection of any unauthorized transactions happening between the segments of the network.
Niagara NPBs also enable dynamic network visibility into virtualized network infrastructure required for planning and deploying network micro-segmentation. Virtual TAPs monitoring east-west traffic between VMs as well as containers running on one or more physical servers in the data center or public cloud services seamlessly forward traffic to Niagara NPBs.
Deploying Niagara NPBs provides the visibility into security issues within hybrid cloud networks as they enable deeper analysis through selective forwarding of such network data traffic to specific monitoring, performance management and security tools.
Moreover Niagara’s NPB can be used as a robust high performance, low latency L2, L3, L4 ACL, cost effectively segmenting your network.
If you want to learn more about maximizing visibility to enable optimum network segmentation for your enterprise and hybrid cloud networks, speak with our network visibility consultants.