Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/5/2015
10:45 AM
TK Keanini
TK Keanini
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Segmentation: A Fire Code For Network Security

New technologies like software-defined segmentation are making it easier to prevent a compromise from spreading by separating users and network resources into zones.

Cybersecurity panic seems to be on the rise in 2015. Hacked cars, compromised healthcare records and one of the largest breaches in U.S. history have left many people wringing their hands in anxiety.

This scenario reminds me of the reactions to the large fires of the industrial revolution and the changes that happened afterward. In 1871 a fire broke out in Chicago, America’s fastest growing city at the time. Aided by high winds, the fire jumped from building to building until roughly one third of the city was destroyed. The event received immense media attention, and large-scale fires would later affect other urban centers such as London and Boston.

At the time, many criticized the rush to industrialize or blamed the catastrophe on divine retribution for a lack of morality – sound familiar? Despite the panic, the ultimate solution to the problem was constructing buildings a little farther from each other, utilizing flame-resistant materials and implementing quick response to fires. Fire codes are meant to create an environment that limits the spread of a fire, and the concept is equally effective when applied to network security.

In many networks, there is little stopping an attacker from accessing everything once they are inside. Like a fire, they spread from area to area until nothing is left and all of the data is compromised. Network segmentation is akin to bringing your network up to code. By separating users and network resources into separate zones, it prevents a compromise from spreading. And just as the invention of automatic sprinklers and quick response systems made firefighting more effective, new technologies are making segmentation easier, smarter and more dynamic.

A new era of segmentation

In an unsegmented network, everyone can access everything. Engineers can access financial records, legal can access proprietary technology, and even third party contractors are sometimes given complete system access. While this may be convenient from an employee standpoint, it is a nightmare for security teams. All attackers have to do is subvert perimeter defenses – something they have become incredibly skilled at – and they have access to everything and the kitchen sink.

Network segmentation has been around for a long time, but many organizations have forgone implementing it because traditional methods have some key shortcomings. The main challenge of conventional network segmentation is that it is impractical to implement and maintain in large corporate environments. Traditionally, it requires the maintenance of extensive access control lists, which have to be updated across many different points of enforcement whenever a change occurs. In networks with thousands of users and multiple environments, such as the cloud and specialized IoT networks, this quickly becomes nearly impossible to manage. 

Also, traditional segmentation offers no practical way to monitor the effectiveness of policies. Identifying a misconfigured policy that allows traffic between zones that should be separated was difficult and adjusting it was time-consuming.

Software-defined segmentation has come a long way to address these issues. By abstracting access control and assigning it to user and machine identity information, instead of ever-changing IP addresses, management is much more intuitive and responsive. In addition, centralizing policy management and automatically pushing updates to all points of enforcement drastically reduces maintenance time and maintains policy integrity networkwide. Software-defined segmentation is better suited to controlling access in virtualized and cloud environments as well.

Every segment traversed is an opportunity to monitor and govern traffic. Having tools to model, validate and then segment the way in which your organization operates is the practice that will get us from the past to the future of network design and operations – the new methodology.

New segmentation needs new methodology

Even with all of the advantages of software-defined segmentation, there still exists the problem of intelligently crafting segmentation policies. Improperly designed policies can create security risk or cripple business functions by denying legitimate insiders access to critical resources.

To take full advantage of software-defined segmentation, a smart implementation and maintenance methodology is needed. Security architects can utilize the process of active segmentation to ensure proper segmentation is maintained without disruption to day-to-day business.

Like all great approaches to cybersecurity, active segmentation is a cyclical process that involves observation, orientation and adaptation to changing circumstances and environments. When used properly, active segmentation consists of:

  • Inventorying network assets and classifying them based on role or function
  • Gaining insight into user behavior and interactions on the network
  • Intelligently designing segmentation policies based on those insights
  • Enforcing the policies
  • Continuously evaluating policy effectiveness
  • Adjusting policies where necessary

One of the prerequisites of active segmentation is end-to-end network visibility. Without the ability to monitor network behavior and identify traffic patterns, crafting an effective segmentation plan is simply too difficult. You need to be able to inventory network assets and understand how users interact with them to avoid creating improper segmentation policies.

Using network visibility and monitoring tools, active segmentation provides two primary benefits:

First, administrators can model segmentation policies before implementing them. As users continue to operate normally on the network, any violation of proposed segmentation policies will trigger an alarm. This way, administrators can identify any business disruptions that might occur and adjust the model accordingly, which in turn makes the implementation of segmentation smoother.

Secondly, continuing to monitor the model allows for continuous evaluation of policy effectiveness. If a user violates intended segmentation, alerts are triggered and administrators can investigate and reconfigure the policy as necessary. New network hosts and systems can also be quickly identified and assigned the appropriate privileges. This approach ensures segmentation is properly maintained as the network grows and changes.

Bring your network up to code

As the threat landscape continues to evolve, network defenders need to give themselves as much leeway as possible. Similar to modern fire prevention, you cannot stop an event from ever happening, but the right amount of preparation can keep a small house fire from burning down the rest of the city.

Network segmentation has always been an important defensive measure, but it wasn't until recent technologies were developed that it could be effectively deployed in large enterprise networks. Software-defined segmentation facilitates adaptive segmentation in large environments, but it doesn't get rid of the guesswork. Instead of designing policies based on intuition alone, security architects should utilize active segmentation to ensure their policies are crafted intelligently, based on real-world observation and monitored for effectiveness.

Just as fire codes help prevent catastrophes, active segmentation can severely limit the reach of a breach and improve an organization’s security posture.

TK Keanini brings nearly 25 years of network and security experience to the CTO role. He is responsible for leading Lancope's evolution toward integrating security solutions with private and public cloud-based computing platforms. TK is also responsible for developing the ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.