An Exploration of End-to-End Network Segmentation—Part I: Hyper-Segmentation

More than 90% of businesses say they have some sort of cybersecurity framework in place, but here’s the truth: a network security strategy will never be effective if a company’s underlying architecture isn’t what it needs to be. Traditional, hierarchical, client-server architecture is simply not built to support today’s next-generation network, or protect against the increased risk of exposure inherent in it (this is something I recently blogged about for the Huffington Post). This is like riding a horse and buggy down the freeway and expecting life-saving crash protection.

Cue the thousands of solution providers vying for market share, all selling the concept of failsafe network security. But let’s be honest: any provider that claims to offer foolproof security is only fooling you. Considering today’s rapid pace of innovation, we’ll hopefully see this day soon. Until then, not even the best provider can absolutely guarantee network security 24×7.

There are, however, a few ways to safeguard your organization with a (near) impenetrable network that significantly minimizes security risks and reduces exposure. It all comes down to the technology you use and from whom you get that technology. At Avaya, we believe companies need to take a foundational approach to network security by implementing an end-to-end segmentation solution that inherently protects from the inside out. This approach consists of three core capabilities:

  • Hyper-Segmentation:

    The ability to create stealth segments that span the entire network.

  • Native Stealth:

    The characteristic of a hyper-segment that’s invisible to hackers.

  • Automated Elasticity:

    Extending and retracting hyper-segments access automatically.

The way we see it, endorsed by many cyber security experts, end-to-end segmentation is the holy grail of network security today. This critical level of protection should be as simple as safety is for a driver getting behind the wheel. All companies need to do is buckle up and enjoy the ride.

At Avaya, our goal is always the same: equip business leaders with the necessary skills, knowledge and know-how to do what’s ultimately best for their organizations. For IT leaders contemplating a better way to protect their networks, I’ve put together a three-part series that pulls back the veil on our all-new end-to-end segmentation solution and its core capabilities of hyper-segmentation, stealth and elasticity.

Ready to join me? If so, let’s kick things off by exploring the incredible concept of hyper-segmentation.

Out with the Old

A classic segmentation method, in which virtual local area networks (VLANs) are created, is one that companies have been using for 20+ years. This method involves isolating segments in order to maximize quality of service, ensuring one type of traffic doesn’t impact the other. In this case, each segment carries different traffic types that require different characteristics to deliver the desired quality of experience.

For example, one segment may carry real-time voice traffic while another would carry best-effort data traffic such as web browsing. This approach sounds simple, but there’s one big problem: as organizations grow, so too must their segments. This creates high levels of complexity and increases risk of failure, as VLANs used are subject to loops created by human errors while having to learn about each node that physically joins the virtual network.

So, these segments must inevitably grow in order to meet evolving network and application needs. As they do, they become increasingly difficult to troubleshoot and manage, leading to greater network strain and performance issues. At this point, a company’s only resolution is to create more smaller segments, which simply introduces more complexity into their already intricate network environments.

All the while, these network segments aren’t truly isolated from one another; rather, they’re communicating extensively when IP services are enabled. These are known as Layer 2 virtualized networks. To make matters worse, Layer 3 virtualization is also typically required when IP services need to be isolated from one another. Think of two departments or two tenants wanting to share a common networking infrastructure. At that point, the concept of VRF (Virtual Route Forwarding) needs to be introduced. Once again, each node participating in this Layer 3 virtualized network must be configured.

Hence, end to end segmentation is achieved by performing complex nodal configuration. Not very scalable when you think about it, yet it does work! Add to this other services such as multicast and you now have a fragile house of cards to deal with, as all these layers have interdependency. Because of this interdependency, this stack can (and will) collapse if just one layer is affected (think of how easy it is to knock down a house of cards with just a flick of the finger). Each layer depends on one another in order to keep the stack running and secure. For businesses relying on legacy architecture, this setup of multiple interdependent protocol layers can lead to tragic outcomes if even just one segment is affected. This is exactly what happened with the infamous 2013 Target breach. An HVAC vendor, external to Target, had authorized access to service the HVAC system. As the network was statically configured using VLANs, hackers were able to get into that HVAC virtual segment. But rather than being contained there (we’ll get to that shortly), they broke out of the HVAC segment and into the segment that hosts credit card data. So you see, in this environment, the inherent lack of security at layer 2 (e.g., HVAC segment) negatively impacted other layers — including the mission-critical apps that resided in them. Safe to say this is not the business outcome you want.

The goal, then, is to greatly simplify the way segmentation can be achieved. I guess you could say, let’s manage less and, in doing so, better converge, sustain and control the network. Right? Well, sort of. This “less is more” approach can also lead to network complexities. Hear me out: fewer segments to manage means greater risk in terms of network performance and outages. Without a certain level of segment isolation, one misbehaving device, human error or system glitch can create instability to the entire network. In other words, you should be cautious about putting all of your eggs in one basket (one huge virtual segment).

Are there any other options? Well, MPLS has been designed to deliver what many considered “true” end-to-end virtualization. However, does it really deliver what companies need? It’s true that MPLS does offer end-to-end virtualization, but it’s still based on a restrictive nodal labeling methodology with even more layers of protocols. Obviously, end-users don’t notice this, as this complexity is expertly masked by providers or IT using highly sophisticated provisioning tools. These tools allow them to quickly deploy an end-to-end virtualized network while hiding all backend complexity. It’s a powerful and scalable solution, yet in the end built on a similar and unfortunately more complex foundation.

In with the New

Now I want to clarify that there’s nothing necessarily wrong with MPLS. Many large organizations still run on an MPLS model they deployed long ago. This is fine if you have the skill set and have made the investment in provisioning tools. What businesses are beginning to realize, however, is that they need to better support the dynamic changes happening not just within the data center, but where all data is consumed by mobile users and other devices. Nothing is static anymore. They must be able to add new services on the fly, make changes to existing services within minutes and build new network segments on demand across the entire enterprise. Remember, end users and IoT devices don’t sit in the data center!

You simply can’t deny that today’s business environment looks drastically different than it did 20+ years ago. So, why would we still rely on legacy segmentation methods from that period? The only way to flexibly and securely meet today’s network needs is to deploy a solution that eliminates nodal configuration and yet achieves true segmentation. Hyper-segmentation does just this by using the concept of end-to-end Virtual Services Networks (VSNs). This enables businesses to provision their networks only at specific points of service. In other words, where the service is offered and where the service is being consumed by end users or device(s). That’s it! The core becomes an automated and intelligent virtualized transport.

By eliminating nodal configuration, companies are able to drastically reduce complexity and create hundreds—even thousands—of agile and secure virtual segments that are completely isolated from one another (meaning no communication by default). This allows companies to decide if they want to establish communication between segments, verses having to prevent it. With hyper-segmentation, segments can be quickly created (and easily provisioned) without the need for time-consuming or error-prone network nodal configurations.

This result is achieved because of the technology’s ability to isolate segments by default on one secure, converged network. This transforms network protection by allowing security tools to focus on performing the specific functions they’re implemented for, verses having to serve as a barrier between segments to prevent chatter. In this way, hyper-segmentation allows companies to gain maximum transparency into how their networks are behaving in order to quickly prevent, identify and mitigate security incidents.

Remember Target? With hyper-segmentation, the hackers would have been contained to the HVAC segment (in other words, isolated there). All other segments would have been invisible (natively stealth) to them. It doesn’t matter how skilled of a hacker they are. You can’t hack what you can’t see.

In this new world, multilayer protocols exist only because we must maintain backwards inter-operability with the legacy model, but new virtualized services can be delivered with just one protocol. No more house of cards, unless you absolutely need it!

Now if your company depends on MPLS, you may be thinking, “Where does this leave me?” Here’s my advice: leave your MPLS network environment as static as possible so you can embrace the dynamic configuration of hyper-segmentation and leverage its strength of provisioning at the point-of-service only. In doing so, you’ll benefit from some of the next-generation segmentation technology without having to forklift your current investment as hyper-segments can now traverse any IP WAN solutions including IP MPLS or SD-WAN solutions from vendors such as FatPipe. In the end, it’s now up to you to decide how you want to implement end-to-end hyper-segmentation. No more dependency on the service provider’s to configure and extend a service (VLAN, VRF, DC inter-connect, etc.) across the WAN … you now control your own destiny!

Now on to the next question: what role does native stealth play in end-to-end segmentation? Learn more in Part II next week.


Related Articles:

How Wi-Fi Location-Based Services Can Step Up Your Public Safety Game

My first job out of college was working on Sonar Systems for the U.S. Navy. Modern sonar systems passively listen in the ocean to identify targets by the sounds they make. To the Sonar System everything is a target. Targets are classified as unknown, hostile or friendly. Target classification is determined by noise signatures, behavior, heuristics, etc.

Wi-Fi location-based solutions provide similar capabilities as a sonar system. As part of normal operations, a mobile device will probe the network looking for Wireless Access Points (WAPs). Probing helps the device identify and acquire service from the WLAN. When the device is connected to the network, it continues to probe, enabling the device to effectively roam between WAPs. Essentially Wi-Fi enabled devices are projecting energy into the air similar to a ship projecting sound into the ocean.

WAPs listen and respond to the probe messages as part of service delivery. Listening also provides a mechanism to track these devices. A Wi-Fi device probe message includes the Media Access Control (MAC) address of the device, a globally unique identifier. Since most devices probe the network several times a minute, it’s possible to identify the location of a device every few seconds. Therefore, a Wi-Fi location-based solution can identify the location of every wireless device in range of the WLAN.

Wi-Fi location-based services are usually discussed in the realm of suppliers trying to improve customer engagement. However, as Avaya Chief Technologist of SDA Jean Turgeon points out in his recent blog on public safety, there’s an epidemic of man-created tragedies, where people are targeted for harm by other people. Providing safety for the public when a member of the public wants to harm other members of the public is a tough task. Finding a potential antagonist in the crowd is similar to finding the potentially hostile ship in the ocean of ships. Wi-Fi Location-Based Services (WLBS) offer an additional data set that can be used to help identify potential hostiles, and help first responders identify where the friendlies are located.

WLBS uses the signals received by multiple WAPs to triangulate the location of the probing device. In the Avaya solution, performing WLBS is as simple as telling the WAPs to send distance information to an Avaya Breeze™ snap-in that performs the calculation.

Wi-Fi Location-Based Services

The triangulation process provides the ability to identify all of the targets in the WLAN ocean. The next step is to sort the targets. However, rather than classifying as friendly or hostile, the first objective is to sort out known from unknown device owners. Device ownership can be determined in a number of ways, for instance:

  • Connections to the corporate network

    . Employees, contractors, etc. who provide credentials to access the corporate network will have device ownership uniquely identified. Though a single employee may have multiple devices (laptop, phone, tablet) identified to their persona at one time, a device will have a single owner.

  • Device resident apps, such as loyalty apps

    . Apps that provide coupons, track transaction points, etc. can be set up to identify the owner when the app connects to the network.

  • Uniquely identifiable splash page logins

    . Gaining access to a guest network often requires acknowledging appropriate usage parameters on a splash page. The splash page can be set up to require uniquely identifiable information, such as an email address, to gain access.

Therefore, it’s possible to have uniquely identifiable information about the owner of every device that’s connected to your WLAN. Devices that aren’t connected to the network would have unknown owners. However, if the solution maintains an historical database, it may be possible to classify a device if the MAC address has ever been associated to an owner. The current owner may not be the same as the historical, but it’s a starting point.

Now that a mechanism to identify device owners has been established, rules for addressing unknown devices can be generated. The easiest to visualize is the guest-out-of-bounds rule. Most public buildings (civil center, library, court house, school, etc.) consist of areas that are open to the public and areas that are restricted to certain personnel.

When a non-employee’s device is detected in a restricted area, WLBS raises an alert to be processed up-stream. For instance, the feed from the CCTV camera covering the area identified by WLBS could be directed to the security guards computer monitor. The security guard could find the closest member of the security team by looking at a dynamic floor plan display with indicators showing the location of all security personnel (based on their known devices). A message could be sent to closest security person to go to the area and perform a credential check. As the non-employee moves through the area, his position would be updated by the WLBS solution to continue to track the individual. The CCTV and WLBS displays could be routed to the mobile security guard to provide current situational information.

WLBS is dependent on the person of interest having a device with an active Wi-Fi antenna. If the non-employee above is simply lost, they won’t bother to turn off their device. On the other hand, if the person intends harm, they may go to airplane mode. In this case, the security system is relying on more traditional detection methods.

WLBS also has value when looking at people at a macro level. One of the man-created tragedies is the active shooter scenario. In many disaster scenarios, the best course of action is to flee. However, in the active shooter scenario, the best course of action is often to hide. Take a school or shopping mall, people are going to hide all over the place. One of the tasks of first responders is to find where all of the friendlies are hiding without causing the friendlies to expose themselves unnecessarily. WLBS would show where all of the devices are, which provides a good indicator of where people are hiding. So as the first responders are pursuing the hostiles, they would have data to help them understand if the hostiles are heading towards friendlies. Perhaps, the friendlies can be evacuated before a hostile reaches them or the hostiles can be driven to a safer location.

WLBS provides a stealthy way to identify where people are. It isn’t a fool-proof solution. Unlike a ship in the ocean, a person can decide to be silent and thus untraceable. However, in many situations, WLBS will provide valuable information about the location and movement of people. Even if the hostile defeats Wi-Fi tracking, WLBS still provides information about the friendlies. In this case, tracking hostiles may require other technology such as CCTV. (Satellites are used to track ships also.)

The best part of a WLBS solution is that it runs on the WLAN that organizations must deploy to participate in the 21st century. Location data is available on enterprise class WAPs—it’s simply a matter of collecting and acting on the data. With Avaya’s 9100 WLAN, data analysis and workflow development is a Breeze.

As Consumer Tech Remakes the Workplace, a Thoughtful Security Strategy Is the Best Defense

I think we’d all agree the business landscape has changed dramatically over the past two decades. Think back to the last time you wrote a paper memo or sent a card inviting a colleague to a meeting. It’s been a long while.

For the most part, we’ve enthusiastically embraced this technology revolution in business, but recently it’s evolved to a point where consumer technology is now reshaping the workplace. In this blog series, we’ll discuss this phenomenon, how it’s made us more vulnerable to cyber-attacks and what measures and solutions we can employ to protect against security breaches.

Think about it. We carry multiple devices to stay connected both professionally and personally. These devices have become our modern day Filofaxes or Franklin Planners. So much so, that we’ve blurred the lines between these two worlds—once separate and distinct. We have one calendar, one set of contacts, one laptop and, for many of us, our social networks are a mix of work and play.

So when we hear about the latest cyber-attack or hack, the question we always ask ourselves is, “Can I be affected?”

The fact is our growing dependence on consumer technology puts our companies and us at higher risk to become victims. We become more vulnerable with every new tech toy, gadget or app we place at our fingertips … and we’re not talking just smartphones. Look at Smart TV (connected to the Internet), home automation devices (e.g., Nest or Hues), even the cars we drive. Everything is becoming connected, delivering real-time information to our smart devices, whenever and wherever we are.

Our demands have also extended to where we use these smart devices. We want connectivity in Starbucks, a shopping mall, a sports stadium … we want to remain in touch, irrespective of location. This presents a challenge for many, but especially for our CIOs who not only have to secure corporate information but also weigh potential exposure as a result of our hyper-connected world.

Also consider the increasing number of employees working from remote locations … the CIO, who once had total visibility of what we’re doing and using during business hours, now has only a glimpse of what’s deployed in our homes or coffee shops. And let’s not forget collaboration tools and apps that allow for real-time connectivity and electronic file sharing between anyone with internet access, from anywhere and from any device. While these capabilities have enabled us to work smarter and more efficiently, with those benefits comes the increased risk of enterprise security issues and data breaches.

For most organizations, it’s not a question of if a security breach is going to occur, it’s when will it occur. And when a company is attacked, so too are the people affiliated with it (think customers, employees, vendors and partners).

Perhaps we need to consider how hackers go about their work to understand why the decisions we make (or don’t make) today could have immediate and devastating consequences.

For starters, hackers look to identify a point of entry that will allow them to establish a command and control base. Remember if it has a processor, memory and connectivity, it’s a target. All the examples I cited above fall into this criteria.

Once they’ve established a control point, they explore their surroundings. Imagine for a moment a hacker gaining access to your home automation, then having the ability to eavesdrop on all your communications: banking services, business services, media content … potentially watching your every move. Now all your personal and business activities are compromised. It’s a frightening thought, right? But it’s one that can be proactively addressed.

There are two common methodologies for eliminating or greatly minimizing security breaches. The easiest is to say “No, you can’t do that” (seldom effective). We recommend a more thoughtful, practical, and deliberate approach that involves both active and passive security measures.

The Avaya approach is complementary to your existing security measures, not a rip and replace approach but one that supports your business operations. Whilst other solutions will address vulnerabilities on the devices, or only allow certain traffic to pass a specific point in the network, Avaya adds to your security posture by eliminating the ability of the hacker to move around your network at will. This is commonly referred to as lateral movement, and with the use of Avaya SDN Fx hyper-segmentation capability, we’re able to prevent this exploration. We have more than 16 million service identifiers to use—it’s like trying to find a needle in a haystack.

If you can’t see it, then you can’t hack it! Avaya also has the ability to run these services in stealth mode, the ability to convey these services in a manner that is quiet and careful in order not to be seen or heard.

This provides you with security that’s based upon the services you support on your network, not focused on the routes that traffic may pass through. This dynamic approach to security is elastic in nature: as the demands for your network change, the ability to expand and contract these services follows the natural rhythm of your network. (Avaya Chief Technologist for SDA Jean Turgeon wrote a three-part blog series exploring these three core pillars. Read about hyper-segmentation, native stealth and automatic elasticity.)

In addition to this, we expand our capability to the edge of the work, the access layer. Here through the use of standards-based approaches, we’ll examine not only the device coming onto the network, the credentials it’s presenting, its location, but we’ll also examine its behavior on the network—its digital fingerprint.

Through years of experience in real-time apps, we’ve been able to capture, identify, quantify and then react to a whole range of activities. The same is also true for the emerging world of the IoT (Internet of Things) and the explosion in connected devices. Through the innovative use of Avaya Breeze™, we’re able to blend the worlds of infrastructure and apps, keeping a watchful eye on everything that passes through the network, and when something does catch our eye, having the ability to react, in real-time, to circumvent that anomaly.

The Avaya capability plugs the gaps that so many hackers exploit, and through our use of innovative technologies, we allow the network infrastructure to support the business in a dynamic, elastic, and secure manner, giving business the agility to use what it needs, when it wants to, and where it wants to use it.

Changing the Lagging Face of Public Safety with Smart Networking Solutions (Part 4)

In part I of this series, Avaya Vice President and Chief Technologist for Software-Defined Architecture Jean Turgeon opened up a much-needed conversation about the current state of public safety and E911. My colleagues Mark Fletcher and Markus Bornheim followed up with pieces on E911 response times, lack of location data and the technology available to solve these issues. Today, we’ll explore specific solutions that can change the game for public safety and emergency services.

I recently went for my annual physical and had a conversation with the resident doctor about how technology is being used within the healthcare industry. After a few minutes, she made a comment that resonated with me, “I can’t believe in today’s digital age, we still use phones to make and confirm appointments.” You may be wondering what this has to do with public safety. Well, not surprisingly, this resident doctor (who is also a millennial) uses her smart device and data channels to interact with the world, and expects to use it for communicating with Emergency Services.

Given our world is moving rapidly toward more mobile-based smart devices and away from fixed phones, the big question everyone should ask themselves is, “What happens when I contact Emergency Services (911, 999, 112, etc.)?” Today, about 80% of calls coming into Emergency Services are from mobile or smart devices, yet the sad reality is Emergency Services doesn’t have the ability to interact with its citizens using data channels. Its voice channels only, which in 2016 is unacceptable!

Many PSAPs (Public Safety Access Points) are doing upgrades and modernization, but without the proper infrastructure and data networks much of it could be worthless. It’s time to start thinking about enabling robust end-to-end data networks within Emergency Services. These new data networks can be used for Inter Networked Agencies, allowing for overflow and interflow in order to handle mass call incidents and interact with smart devices or citizens.

Today only voice and telephones are used to interact with citizens as carriers are only providing a voice-based network to support calls to Emergency Services. PSAPs have no means to interact using data channels and apps like email, SMS, Web Services and more.

From a data perspective within many PSAPs today, you’ll find dispatchers and call takers likely having two separate systems on their desks, or a single system running a self-contained VDI (virtual desktop) software environment creating a virtual system. The main reason for keeping these two systems separate is because of the use of legacy architectures and the need for physical segregation of the systems and its respective data. One system (physical or virtual) is used for Emergency Services and is based on voice networks. A separate system (physical or virtual) uses a data network for internal communications like email, Internet, database access and more.

Now imagine a dispatcher speaking over the voice network to a citizen. If the dispatcher wants to interact with this person using the data network, they can’t because that system is strictly for internal use. The only channel they have available to interact with the citizen is voice on a dedicated network. The dispatcher (or call taker) can’t perform simple tasks like sending an SMS or email, or sharing a Web link or video showing the citizen how they might help themselves. So while they do have an internal system connected to a data network where they can browse the web, send emails and lookup information—it’s not on the PSAP Internet.

Moving forward, maintaining physical segregation of these networks through virtual services can be easy if leveraging technology like Avaya’s all-new end-to-end segmentation solution #EverywherePerimeter and its core capabilities of hyper-segmentation, stealth and elasticity (Jean Turgeon recently kicked off a three-part blog series that dives into each pillar. Read part I and part II). This new, all standards based, networking architecture can help address issues and provide the level of support and security required in a simplistic, yet secure fashion to bring technology to the PSAP.

ESINets are starting to be developed in parts of the U.S. as separate, parallel data networks within the PSAP, but this means potentially adding more costs, duplicating equipment/networks and adding complexity through firewalls and network administration. Additionally, long lead times are incurred when it comes to changes, adds and moves, ensuring there’s no disruption to the network services requiring long maintenance windows.

The ESINet, an IP based core network, still has security challenges because IP is the No. 1 hacked networking protocol in the world. Using Avaya stealth networking architecture to construct the ESINet allows you to build a single physical core data networking infrastructure for a greenfield network or to integrate with existing networks. With fabric, this network would be secure and invisible to IP hacking as the use of IP in the core isn’t required.

Using SPB (Shortest Path Bridging – the IEEE 802.1aq standard), once the Avaya core is built a multiple traditional core network infrastructures would not be needed. As Avaya uses a mesh-based architecture, full redundancy is achieved. Avaya’s hyper-segmentation technology can be used to create new VSNs (Virtual Service Networks). These VSNs are similar to creating virtual independent wires or networks. Since IP is not being used in the core, they can’t be seen by one another, which means data can’t be moved between each VSN independently, making them secure.

If required, the data networking administrator could create IP based shortcuts between VSNs, if they choose to allow data to flow between specific virtual networks. Administrators may want to do this for a migration or in the case of call overflow scenarios, such as a mass call event. Once the ESINet core is built, we can essentially leverage this secure environment and dynamically create separate networks as needed. As an example, multiple virtual networks running over this single core can also provide services like:

  • Internal Secure Data Network
  • Video Network
  • Local PSAP Network
  • Regional Network
  • District Network
  • Even a Voice Network being carried over the Data Network

Each of these services can be protected at the perimeter using a firewall for an extra layer of security and would all look and operate like independent networks.

This provides PSAP operators with the two separate secure networks they need, saving tremendous amounts of money and complexity in the backend. All of this together, makes it less scary to staff who may not be networking savvy. Leveraging Avaya Fabric Extend or SD-WAN (wide area networking) solutions provides the benefit of using a single Avaya Fabric to extended beyond just a local agency. You can leverage these services to extend beyond a local data center or campus network to other locations around the globe with the look and feel of a single fabric.