New: ESG Technical Validation: One-Click Segmentation. Download now!
 
 

Network Segmentation Issues and Opportunities

Data centers today are sprawling, highly complex, interconnected behemoths. In a large enterprise, managing just one, on-premises data center could prove challenging, but the reality is that most organizations have to contend with multi-environment data centers comprised of internal on-premises, virtual, and cloud. Wherever the network is hosted, the fact remains that organizations must implement segmentation to manage security, compliance, performance, and more. Virtual local area networks (VLANs) were invented for this purpose—to separate subnets and create distinct zones within networks that help achieve the above manageability goals. However, using VLANs to segment a network is a big operational task and can result in negative consequences if the segments are not configured properly or if adequate security controls do not accompany each segment.

The divider and the protector

Using VLANs to organize and/or cordon off parts of the network comes with some major benefits. For one thing, networking teams can achieve logical separation of the network without investing in new hardware (if the data center is on-premises) or spinning up new hosts. With fewer hosts per subnet to manage, network performance and monitoring improves. Plus, a VLAN is an opportunistic place to attach network- or host-based firewalls. Doing so means network and security teams can control what traffic flows in, out, and between zones on the network, which is useful for protecting against compromise as well as meeting compliance and audit mandates. The one-two punch of a VLAN with a firewall provides demonstrable attention to data segregation and gives organizations a better chance of limiting the blast radius when a network compromise occurs. For instance, a corporation’s guest network traffic should almost never have reason to access the finance department’s data, or HIPAA data shouldn’t be accessible by marketing applications. Setting up a VLAN creates the mandatory boundaries between collections of sensitive network data/applications/traffic, and attaching a firewall means data/apps/traffic are protected from extra-segment threats.

For years organizations have been using VLANs and overlaying firewalls as a way to organize and secure networks. It’s still a solid approach to controlling north-south/inside vs. outside traffic flow. Nonetheless, the VLAN+firewall method is accompanied by some major drawbacks that have resulted in organizations abandoning major network segmentation or microsegmentation projects, or simply leaving an “any to any” policy set due to the complexity of maintaining rules in a dynamic environment. Lack of segmentation and overly permissive controls, in turn, have facilitated some of the noisiest network compromises to-date including Target, Equifax, Anthem, etc. These and other attacks could have been prevented from propagating if properly secured network segmentation had been in place.


Download our free eBook, Achieving Zero Trust Security  in your Cloud, today!


The reluctance to take on a massive segmentation project is to be expected. To start, planning for such a project requires organizations to know and understand all of the assets communicating on each of their networks. Next, they have to determine what boundaries or zones make sense based on business and/or compliance needs. Then they have to begin the actual work of implementing VLANs. The potential for misconfiguring a VLAN during implementation is high due to the complexity of today’s network architectures, especially those in cloud or virtual environments where the user organization does not own and often cannot alter the infrastructure on which the network is administered. This runs parallel to the problems with implementing firewalls in modern data centers. According to Security Metrics, approximately 52% of firewalls were configured improperly in 2017, exposing organizations to a high risk of exploit.

Unfortunately, configurations aren’t the only problem organizations encounter when trying to segment the network with VLANs and secure the segments with firewalls. Both VLANS and firewalls traditionally use address-based network paths to facilitate communication between hosts, servers, or applications. In modern networking environments, though (especially virtual and cloud networks), where network traffic is coming from or going to cannot adequately determine whether that traffic should be allowed into a segment. Additionally, the possibility of address tampering (e.g., address resolution protocol attacks, MAC attacks) could result in malicious activity on traffic that is already inside a segment.

Unbundling the operational nightmare

From a governance perspective, setting up and managing VLANs and firewalls in a modern network is an operational nightmare. Addresses change constantly, users don’t use one device from one location consistently, critical business applications are added to the network (seemingly) at the speed of light… All of this equates to ongoing manual policy definition, review, change, and exception handling. Furthermore, the aforementioned business-critical applications cannot withstand the downtime associated with changing segments and adding permissions. And if there is one thing network admins can be sure of, it’s that both the network and the applications that communicate on it will change. Even with automation, the amount of work required to implement segmentation and manage firewall rules is enormous—and a main contributing factor to abandoning segmentation projects which leave the network flat and exposed to threats.

Here at Edgewise, we’re firm believers in segmentation. What we can’t get behind, however, is the complexity and operational overhead attached to creating segments based on the ephemeral network information associated with cloud and virtual networking. Our technology allows organizations to achieve securing zoning based on the cryptographic identity of applications and services communicating rather than network infrastructure. Using application identity as the control point for decision making means that the environment can change (as networks are wont to do) and protection remains. Further, Edgewise decreases the implementation and management burden of network segmentation/microsegmentation with machine-learned policies that can be automatically applied and which automatically adapt even when network constructs change. No more manual rule creation, tuning, or exception handling, yet the same level of assurance that the organization will meet security, compliance, and audit requirements.

 

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.