Networking

07:00 AM
Reuven Harrison
Reuven Harrison
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Network Segmentation Key To Good Network Hygiene

Recent security breaches underscore the importance of maintaining proper network segmentation.

In light of recent security breaches, where third-party credentials have been used to access entire networks, IT organizations are turning their attention to the risks that can result from basic network segmentation errors. This serves as a good reminder to us all that practicing good network segmentation is as much a hygienic best-practice as brushing your teeth -- no one loves to do it, but regular care is essential to prevent long-term harm.

In many organizations, network segmentation has been a "set it and forget it" effort, which once done is almost immediately out of date. But network segmentation needs to be managed, and policies continuously enforced to maintain the desired network segmentation.  

Security is not the only issue addressed by proper network segmentation. The ability to contain network problems, improve performance, and reduce congestion are all key benefits that come from a well-segmented, well-maintained network.

Make no mistake: Network segmentation is very hard. Complex networks house hundreds of devices, and enterprises typically have complicated policies with hundreds of rules. At Tufin, we see customers with hundreds of firewalls, routers, and switches across their network, each on average having hundreds of rules per device. A typical enterprise therefore has to consider tens of thousands of rules when segmenting its network in order to maintain a security and compliance.

In addition, most organizations are dealing with dozens of changes a week to support new business applications, and users are demanding technologies like virtualization and cloud, each of which is a force-multiplier to this complexity and can impact the integrity of network segments.

It’s helpful to think of your network in zones, so you can visualize and manage your network segmentation, either manually or in an automated fashion. Consider the business drivers as you map out your zones, including compliance (e.g., the PCI Data Security Standard), industry or company-specific risks, third-party contractual requirements, and company-specific business processes. Once you have mapped this out, you can instantly see detailed insights on your network segmentation, such as what services are allowed between different network zones and zone sensitivity.

Enterprises have hundreds of applications serving multiple lines of business, which adds to the order of magnitude and complexity of any change, and must be factored in to any segmenting exercise.

For example, when an organization rolls out a new application that requires interaction with several other resources in the network, a visual map of how this application interacts with other resources can help ensure that only the business required communications are allowed, while other types of communication are blocked.

One company we work with has segmented its network into 40 zones, split based on risk assessments, business, and compliance requirements. Some of the key segmentations include separation of the development network from the Internet, and even the general enterprise network, so as to minimize any leakage of intellectual property.

In addition, organizations need to consider how they can be alerted on policy violations, so that changes made "out of band" can be immediately remediated, and administrators made aware of gaps between desired and actual segmentation. Organizations should consider obtaining the ability to visually validate that the desired segmentation is the same as the actual (or enforced) segmentation.

Recent breaches should have served as a wake-up call to those not closely watching their network segmenting policies, but they’re not the only reason to practice good network segmentation hygiene. Organizations should consider adopting a matrix approach to network segmentation in order to enable a clear baseline and set of rules for all ongoing changes.

Once this is established, they can consider enabling automation of these rules and policies as much as possible, in order to reduce the risk of policy violations going unnoticed for days, weeks, or months.

Reuven Harrison is CTO and co-founder of Tufin. He led all development efforts during the company's initial fast-paced growth period, and is focused on Tufin's product leadership. Reuven is responsible for the company's future vision, product innovation and market strategy. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
6/18/2014 | 11:11:55 AM
Re: pitfalls?
Thanks Orhan for explaining those nuances. The article I read made it sound more clear-cut, which is rarely the case!
OrhanErgun
50%
50%
OrhanErgun,
User Rank: Apprentice
6/18/2014 | 2:41:39 AM
Re: pitfalls?
adithsar1,

 

I am glad to hear that my comments, posts are useful. You can always ask your questions here in NC, I try to give my answer as quickly as possible.

 

 
OrhanErgun
50%
50%
OrhanErgun,
User Rank: Apprentice
6/18/2014 | 2:40:07 AM
Re: pitfalls?
Marcia,

 

Quick answer is maybe :). Let me explain in this way. If you need segmentation at the layer 3 for very small scale , VRF-Lite might be an option. But Service Providers commonly enable MPLS in their backbone.( Even up to aggregation - access with Seamless MPLS ). And over MPLS they give layer 2 and layer 3 VPN services.

 

If you are using VRF without MPLS , without Multi Protocol BGP , then it is called Vrf-Lite. You don't need them. But even enterprises might have MPLS in their backbone , and even historically it invented for the perfomance , nowadays performance is not a main concern , companies use MPLS mostly for VPN , also some cases for traffic engineering.

aditshar1
50%
50%
aditshar1,
User Rank: Apprentice
6/18/2014 | 2:31:37 AM
Re: pitfalls?
Thank You @Orhan for such explainatory answer, I have been assigned with new project in my company wherein entire network is running on static route defination, no OSPF no ISIS and now i have to plan in order to move them in dynamic routing, i will come back with some queries and also not to miss everytime i read your response/ comment i save that for my future referance.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
6/17/2014 | 3:30:36 PM
Re: pitfalls?
Sounds like it's something of a delicate balance getting the right amount of segmentation then.
ReuvenHarrison
50%
50%
ReuvenHarrison,
User Rank: Apprentice
6/17/2014 | 3:01:24 PM
Re: pitfalls?

Failure to update is the biggest one we see by far. Another common mistake is "over segmentation". This makes maintenance very hard, and leads to segmentation becoming something which disrupts the business, rather than being a business enabler. 
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
6/17/2014 | 2:50:08 PM
Re: pitfalls?
Thanks for this insight Orhan. I read that VRF-Lite is used more in enterprise networks, while VRF is used in service provider MPLS networks. Is that accurate?
OrhanErgun
50%
50%
OrhanErgun,
User Rank: Apprentice
6/17/2014 | 6:45:42 AM
Re: pitfalls?
aditshar1,

Quick answer is yes. Vrf gives you a segmentation and security.

Let me explain it a bit more in detail. VRF stands for virtual routing and forwarding, and you can think it as router in router. We use it for layer 3 virtualization.

Consider vlans. Vlan actually gives you an abstractian , you virtualize your physical infrastucture. But this is within the layer 2 flooding domain.

So if you will route the packets you use VRF since it is layer3.

Use cases might be within ISP,to separate their customer networks. Within enterprise separate application or tenant so on.

Even small enterprise for example , you can put your all data traffic into one VRF and guest wireless access into a different VRF and they will not by default reach to each other.


But since you segment the VRF within the same device , they use common resources. So for the service provider example, within the same router , if there is noisy neighbor , you will be affected.


But there is also device level virtualization mechanisms such as VDC Virtual device context. You allocate CPU and memory to each context and assign tenants/application so on to context so you will not have this problem.

 

You asked VRF-Lite particularly and I explained VRF briefly , they are the same  but for the VRF-lite you should keep in mind that , it is not scalable. In order to separate and virtualize networks end to end , you need to touch to many routers, switches so on. More scalable way of doing this is MPLS L3 VPN which use VRF as overlaying virtualization tools and create Multi Protocol BGP session between edge PEs over VRF.

 

HTH.
aditshar1
50%
50%
aditshar1,
User Rank: Apprentice
6/17/2014 | 5:23:50 AM
Re: pitfalls?
VRF sounds good option here, but can VRF Lite introduction to subnetwork/ intranetwork add more security.
rubyliu
50%
50%
rubyliu,
User Rank: Apprentice
6/17/2014 | 5:09:41 AM
Re: pitfalls?
The principle is simple.  Keep the network clean and it will have fewer problems.  When problems do occur, they will be easier to spot and simpler to fix because there will be fewer negative interactions between network subsystems.  If you don't keep things clean, interactions between otherwise minor problems can create a larger problem.  http://www.fiberstore.com/
Page 1 / 2   >   >>
Cartoon
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed