An Exploration of End-to-End Network Segmentation—Part II: Native Stealth
As I’ve said before, no one provider can completely eliminate network security risks. There is, however, a proven way to reduce risk and network exposure: end-to-end segmentation, which is comprised of hyper-segmentation, native stealth, and automated elasticity. In part I of this series, I explored the concept of hyper-segmentation. In a nutshell, hyper-segmentation involves using SPB (Shortest Path Bridging–802.1aq) to quickly and easily create virtual network segments that are completely isolated from one another. This enables network security tools to perform with greater efficiency, offering businesses full transparency into network activity.
Now imagine if you could create these virtual segments on the fabric infrastructure itself, meaning the topology used to carry the traffic would be completely invisible to any IP discovery or hacking. That’s exactly what we’re going to discuss here in part II: delivering a stealth network that keeps hackers in the dark. Let’s jump right in.
The Risk of IP Hopping
If you still rely on IP hopping, it’s likely a matter of time before someone enters your network and quickly discovers your full network topology, potentially without you knowing (if someone hasn’t already). I understand it can be difficult to grasp how a method that’s been in practice for nearly 30 years can be so unsecure, but remember: just because a methodology has been around for a long time doesn’t mean it’s conducive to today’s business requirements.
The problem with IP hopping is simple: once someone successfully enters a network using any kind of automated or reasonably sophisticated tool, they can begin discovering IP hop routes. These tools, when in the wrong hands, can allow attackers to gain full visibility into an organization’s IP architecture.
This means if a hacker successfully penetrates your firewall, they will within minutes be able to see all of your network topology and devices (and you thought Halloween was scary!). With this level of transparency, attackers can effortlessly detect where video surveillance is, for example, or where patient records are stored in order to begin impacting those devices, databases, nodes or systems.
This is one of the reasons so many companies hesitate to offer guest Wi-Fi services. It’s one of the easiest and lowest-risk ways for hackers to penetrate a company’s firewall and begin gaining network visibility. Remember, RF leaks out of building/walls; sit in parking lot near a building and et voilà!
Stealth Networks: Invisible to Hackers, Invincible for Companies
If you recall in part I, we discussed the importance of provisioning the network only at the point of services where offered and where that service is consumed by the end-user or device (IoT, as an example). In provisioning only at points of services—using an IP shortcut—the rest of the network essentially becomes a transport because we make use of Ethernet Switch Paths (ESPs) instead of typical IP hopping from node to node. This eliminates hackers’ dependencies on IP routes and allows them to only see entry and exit points. Everything else becomes stealth or invisible.
Remember the above example about penetrating the firewall through a Wi-Fi network? Let’s say this happens to a company that’s implemented an end-to-end segmentation solution. The hacker may successfully connect to the company’s physical infrastructure but, because of native stealth, they will only be able to see as far as that one segment. The attackers can’t hack what they can’t see. Meanwhile, organizations gain more controlled insight into where attackers are trying to do damage.
At the end of the day, you can’t stop hackers from penetrating your network, firewall, or gaining access to your building. If they do, however, end-to-end hyper-segmentation allows you to control what hackers see with peace of mind so that your customer databases, credit card numbers, etc. are securely isolated and undiscoverable. Hence, don’t expose your customer’s credit card information (PCI), patient records or others. Isolate that critical data in a secure virtual segment and run it over that ONE converged infrastructure. No more need for a separate physical network to meet your business security needs when you implement the right solution.
We’re almost done exploring the core of end-to-end segmentation. Elasticity is the final capability that completes this network security trifecta, and I dig into it in part III next week.