An Exploration of End-to-End Network Segmentation—Part I: Hyper-Segmentation
More than 90% of businesses say they have some sort of cybersecurity framework in place, but here’s the truth: a network security strategy will never be effective if a company’s underlying architecture isn’t what it needs to be. Traditional, hierarchical, client-server architecture is simply not built to support today’s next-generation network, or protect against the increased risk of exposure inherent in it (this is something I recently blogged about for the Huffington Post). This is like riding a horse and buggy down the freeway and expecting life-saving crash protection.
Cue the thousands of solution providers vying for market share, all selling the concept of failsafe network security. But let’s be honest: any provider that claims to offer foolproof security is only fooling you. Considering today’s rapid pace of innovation, we’ll hopefully see this day soon. Until then, not even the best provider can absolutely guarantee network security 24×7.
There are, however, a few ways to safeguard your organization with a (near) impenetrable network that significantly minimizes security risks and reduces exposure. It all comes down to the technology you use and from whom you get that technology. At Avaya, we believe companies need to take a foundational approach to network security by implementing an end-to-end segmentation solution that inherently protects from the inside out. This approach consists of three core capabilities:
The ability to create stealth segments that span the entire network.
The characteristic of a hyper-segment that’s invisible to hackers.
Extending and retracting hyper-segments access automatically.
The way we see it, endorsed by many cyber security experts, end-to-end segmentation is the holy grail of network security today. This critical level of protection should be as simple as safety is for a driver getting behind the wheel. All companies need to do is buckle up and enjoy the ride.
At Avaya, our goal is always the same: equip business leaders with the necessary skills, knowledge and know-how to do what’s ultimately best for their organizations. For IT leaders contemplating a better way to protect their networks, I’ve put together a three-part series that pulls back the veil on our all-new end-to-end segmentation solution and its core capabilities of hyper-segmentation, stealth and elasticity.
Ready to join me? If so, let’s kick things off by exploring the incredible concept of hyper-segmentation.
Out with the Old
A classic segmentation method, in which virtual local area networks (VLANs) are created, is one that companies have been using for 20+ years. This method involves isolating segments in order to maximize quality of service, ensuring one type of traffic doesn’t impact the other. In this case, each segment carries different traffic types that require different characteristics to deliver the desired quality of experience.
For example, one segment may carry real-time voice traffic while another would carry best-effort data traffic such as web browsing. This approach sounds simple, but there’s one big problem: as organizations grow, so too must their segments. This creates high levels of complexity and increases risk of failure, as VLANs used are subject to loops created by human errors while having to learn about each node that physically joins the virtual network.
So, these segments must inevitably grow in order to meet evolving network and application needs. As they do, they become increasingly difficult to troubleshoot and manage, leading to greater network strain and performance issues. At this point, a company’s only resolution is to create more smaller segments, which simply introduces more complexity into their already intricate network environments.
All the while, these network segments aren’t truly isolated from one another; rather, they’re communicating extensively when IP services are enabled. These are known as Layer 2 virtualized networks. To make matters worse, Layer 3 virtualization is also typically required when IP services need to be isolated from one another. Think of two departments or two tenants wanting to share a common networking infrastructure. At that point, the concept of VRF (Virtual Route Forwarding) needs to be introduced. Once again, each node participating in this Layer 3 virtualized network must be configured.
Hence, end to end segmentation is achieved by performing complex nodal configuration. Not very scalable when you think about it, yet it does work! Add to this other services such as multicast and you now have a fragile house of cards to deal with, as all these layers have interdependency. Because of this interdependency, this stack can (and will) collapse if just one layer is affected (think of how easy it is to knock down a house of cards with just a flick of the finger). Each layer depends on one another in order to keep the stack running and secure. For businesses relying on legacy architecture, this setup of multiple interdependent protocol layers can lead to tragic outcomes if even just one segment is affected. This is exactly what happened with the infamous 2013 Target breach. An HVAC vendor, external to Target, had authorized access to service the HVAC system. As the network was statically configured using VLANs, hackers were able to get into that HVAC virtual segment. But rather than being contained there (we’ll get to that shortly), they broke out of the HVAC segment and into the segment that hosts credit card data. So you see, in this environment, the inherent lack of security at layer 2 (e.g., HVAC segment) negatively impacted other layers — including the mission-critical apps that resided in them. Safe to say this is not the business outcome you want.
The goal, then, is to greatly simplify the way segmentation can be achieved. I guess you could say, let’s manage less and, in doing so, better converge, sustain and control the network. Right? Well, sort of. This “less is more” approach can also lead to network complexities. Hear me out: fewer segments to manage means greater risk in terms of network performance and outages. Without a certain level of segment isolation, one misbehaving device, human error or system glitch can create instability to the entire network. In other words, you should be cautious about putting all of your eggs in one basket (one huge virtual segment).
Are there any other options? Well, MPLS has been designed to deliver what many considered “true” end-to-end virtualization. However, does it really deliver what companies need? It’s true that MPLS does offer end-to-end virtualization, but it’s still based on a restrictive nodal labeling methodology with even more layers of protocols. Obviously, end-users don’t notice this, as this complexity is expertly masked by providers or IT using highly sophisticated provisioning tools. These tools allow them to quickly deploy an end-to-end virtualized network while hiding all backend complexity. It’s a powerful and scalable solution, yet in the end built on a similar and unfortunately more complex foundation.
In with the New
Now I want to clarify that there’s nothing necessarily wrong with MPLS. Many large organizations still run on an MPLS model they deployed long ago. This is fine if you have the skill set and have made the investment in provisioning tools. What businesses are beginning to realize, however, is that they need to better support the dynamic changes happening not just within the data center, but where all data is consumed by mobile users and other devices. Nothing is static anymore. They must be able to add new services on the fly, make changes to existing services within minutes and build new network segments on demand across the entire enterprise. Remember, end users and IoT devices don’t sit in the data center!
You simply can’t deny that today’s business environment looks drastically different than it did 20+ years ago. So, why would we still rely on legacy segmentation methods from that period? The only way to flexibly and securely meet today’s network needs is to deploy a solution that eliminates nodal configuration and yet achieves true segmentation. Hyper-segmentation does just this by using the concept of end-to-end Virtual Services Networks (VSNs). This enables businesses to provision their networks only at specific points of service. In other words, where the service is offered and where the service is being consumed by end users or device(s). That’s it! The core becomes an automated and intelligent virtualized transport.
By eliminating nodal configuration, companies are able to drastically reduce complexity and create hundreds—even thousands—of agile and secure virtual segments that are completely isolated from one another (meaning no communication by default). This allows companies to decide if they want to establish communication between segments, verses having to prevent it. With hyper-segmentation, segments can be quickly created (and easily provisioned) without the need for time-consuming or error-prone network nodal configurations.
This result is achieved because of the technology’s ability to isolate segments by default on one secure, converged network. This transforms network protection by allowing security tools to focus on performing the specific functions they’re implemented for, verses having to serve as a barrier between segments to prevent chatter. In this way, hyper-segmentation allows companies to gain maximum transparency into how their networks are behaving in order to quickly prevent, identify and mitigate security incidents.
Remember Target? With hyper-segmentation, the hackers would have been contained to the HVAC segment (in other words, isolated there). All other segments would have been invisible (natively stealth) to them. It doesn’t matter how skilled of a hacker they are. You can’t hack what you can’t see.
In this new world, multilayer protocols exist only because we must maintain backwards inter-operability with the legacy model, but new virtualized services can be delivered with just one protocol. No more house of cards, unless you absolutely need it!
Now if your company depends on MPLS, you may be thinking, “Where does this leave me?” Here’s my advice: leave your MPLS network environment as static as possible so you can embrace the dynamic configuration of hyper-segmentation and leverage its strength of provisioning at the point-of-service only. In doing so, you’ll benefit from some of the next-generation segmentation technology without having to forklift your current investment as hyper-segments can now traverse any IP WAN solutions including IP MPLS or SD-WAN solutions from vendors such as FatPipe. In the end, it’s now up to you to decide how you want to implement end-to-end hyper-segmentation. No more dependency on the service provider’s to configure and extend a service (VLAN, VRF, DC inter-connect, etc.) across the WAN … you now control your own destiny!
Now on to the next question: what role does native stealth play in end-to-end segmentation? Learn more in Part II next week.