07:00 AM
Reuven Harrison
Reuven Harrison
Connect Directly

Network Segmentation Key To Good Network Hygiene

Recent security breaches underscore the importance of maintaining proper network segmentation.

In light of recent security breaches, where third-party credentials have been used to access entire networks, IT organizations are turning their attention to the risks that can result from basic network segmentation errors. This serves as a good reminder to us all that practicing good network segmentation is as much a hygienic best-practice as brushing your teeth -- no one loves to do it, but regular care is essential to prevent long-term harm.

In many organizations, network segmentation has been a "set it and forget it" effort, which once done is almost immediately out of date. But network segmentation needs to be managed, and policies continuously enforced to maintain the desired network segmentation.  

Security is not the only issue addressed by proper network segmentation. The ability to contain network problems, improve performance, and reduce congestion are all key benefits that come from a well-segmented, well-maintained network.

Make no mistake: Network segmentation is very hard. Complex networks house hundreds of devices, and enterprises typically have complicated policies with hundreds of rules. At Tufin, we see customers with hundreds of firewalls, routers, and switches across their network, each on average having hundreds of rules per device. A typical enterprise therefore has to consider tens of thousands of rules when segmenting its network in order to maintain a security and compliance.

In addition, most organizations are dealing with dozens of changes a week to support new business applications, and users are demanding technologies like virtualization and cloud, each of which is a force-multiplier to this complexity and can impact the integrity of network segments.

It’s helpful to think of your network in zones, so you can visualize and manage your network segmentation, either manually or in an automated fashion. Consider the business drivers as you map out your zones, including compliance (e.g., the PCI Data Security Standard), industry or company-specific risks, third-party contractual requirements, and company-specific business processes. Once you have mapped this out, you can instantly see detailed insights on your network segmentation, such as what services are allowed between different network zones and zone sensitivity.

Enterprises have hundreds of applications serving multiple lines of business, which adds to the order of magnitude and complexity of any change, and must be factored in to any segmenting exercise.

For example, when an organization rolls out a new application that requires interaction with several other resources in the network, a visual map of how this application interacts with other resources can help ensure that only the business required communications are allowed, while other types of communication are blocked.

One company we work with has segmented its network into 40 zones, split based on risk assessments, business, and compliance requirements. Some of the key segmentations include separation of the development network from the Internet, and even the general enterprise network, so as to minimize any leakage of intellectual property.

In addition, organizations need to consider how they can be alerted on policy violations, so that changes made "out of band" can be immediately remediated, and administrators made aware of gaps between desired and actual segmentation. Organizations should consider obtaining the ability to visually validate that the desired segmentation is the same as the actual (or enforced) segmentation.

Recent breaches should have served as a wake-up call to those not closely watching their network segmenting policies, but they’re not the only reason to practice good network segmentation hygiene. Organizations should consider adopting a matrix approach to network segmentation in order to enable a clear baseline and set of rules for all ongoing changes.

Once this is established, they can consider enabling automation of these rules and policies as much as possible, in order to reduce the risk of policy violations going unnoticed for days, weeks, or months.

Reuven Harrison is CTO and co-founder of Tufin. He led all development efforts during the company's initial fast-paced growth period, and is focused on Tufin's product leadership. Reuven is responsible for the company's future vision, product innovation and market strategy. ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Moderator
6/17/2014 | 1:34:16 AM
Re: pitfalls?


Let me give an example. Although when you segment your network , and even segment your configuration , although overall network might be a more complex from the management complexity point of view due to more configuration and protocols usage.

But on the other hand, you simplify individual tenant configuration. For example you can configure VRF ( Virtual routing and forwarding instance ) for each applicaiton/network/tenant and put them into VRF. Now managin the individual policy is much easier. This is modularity and also we call it vertical layering. Can problem still occur?.Yes it can. For this I want to point out my early NC article.
User Rank: Strategist
6/16/2014 | 3:06:06 PM
Reuven, can you comment on what types of mistakes organizations tend to make with network segmentation, other than failing to continously update it?
User Rank: Strategist
6/16/2014 | 12:00:23 PM
Target breach
Our sister site, Dark Reading, provided some discussion of the Target breach, network segmentation, and PCI compliance. Seems a little strange that the PCI DSS doesn't require network segmentation, but then again, there's a lot about PCI that's strange.
<<   <   Page 2 / 2
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Twitter Feed