The reluctance to take on a massive segmentation project is to be expected. To start, planning for such a project requires organizations to know and understand all of the assets communicating on each of their networks. Next, they have to determine what boundaries or zones make sense based on business and/or compliance needs. Then they have to begin the actual work of implementing VLANs. The potential for misconfiguring a VLAN during implementation is high due to the complexity of today’s network architectures, especially those in cloud or virtual environments where the user organization does not own and often cannot alter the infrastructure on which the network is administered. This runs parallel to the problems with implementing firewalls in modern data centers. According to Security Metrics, approximately 52% of firewalls were configured improperly in 2017, exposing organizations to a high risk of exploit.
Unfortunately, configurations aren’t the only problem organizations encounter when trying to segment the network with VLANs and secure the segments with firewalls. Both VLANS and firewalls traditionally use address-based network paths to facilitate communication between hosts, servers, or applications. In modern networking environments, though (especially virtual and cloud networks), where network traffic is coming from or going to cannot adequately determine whether that traffic should be allowed into a segment. Additionally, the possibility of address tampering (e.g., address resolution protocol attacks, MAC attacks) could result in malicious activity on traffic that is already inside a segment.
Unbundling the operational nightmare
From a governance perspective, setting up and managing VLANs and firewalls in a modern network is an operational nightmare. Addresses change constantly, users don’t use one device from one location consistently, critical business applications are added to the network (seemingly) at the speed of light… All of this equates to ongoing manual policy definition, review, change, and exception handling. Furthermore, the aforementioned business-critical applications cannot withstand the downtime associated with changing segments and adding permissions. And if there is one thing network admins can be sure of, it’s that both the network and the applications that communicate on it will change. Even with automation, the amount of work required to implement segmentation and manage firewall rules is enormous—and a main contributing factor to abandoning segmentation projects which leave the network flat and exposed to threats.
Here at Edgewise, we’re firm believers in segmentation. What we can’t get behind, however, is the complexity and operational overhead attached to creating segments based on the ephemeral network information associated with cloud and virtual networking. Our technology allows organizations to achieve securing zoning based on the cryptographic identity of applications and services communicating rather than network infrastructure. Using application identity as the control point for decision making means that the environment can change (as networks are wont to do) and protection remains. Further, Edgewise decreases the implementation and management burden of network segmentation/microsegmentation with machine-learned policies that can be automatically applied and which automatically adapt even when network constructs change. No more manual rule creation, tuning, or exception handling, yet the same level of assurance that the organization will meet security, compliance, and audit requirements.