A recent article at Network World by Zeus Kerravala highlighted the design phase as the most cost effective point to apply an IofT security strategy. We couldn’t agree more. In our previous article on Network Design, we shared how segmentation could be integrated into a traditional network. This design greatly reduces the risk of cross-contamination by isolating groups of like devices into network containers or VLAN’s, and then strictly filtering inter-vlan communication outside of that which is necessary.
A recently introduced networking term making the rounds right now is Micro-Segmentation. The design strategy it describes is not new, there have always been granular network security options such as port security or private vlan. Port based security has always made network management very complex, especially at large scale. However current and emerging SDN and network orchestration toolsets are now simplifying network management across large scale networks. Micro-segmentation may now be a viable and effective alternative to traditional VLAN designs applied with IP/Port based security enforcement. In environments where virtualization and cloud services have a central role, it becomes a very attractive solution.
The benefits of micro-segmentation include simplified IP network management via a flatter network topology, greater flexibility, automation, and ease of implementation. Consider building automation, no less than five independent control systems are the norm for newer buildings, requiring five additional VLAN’s and IP networks under the VLAN design model. Now multiply that by the number of building assets. A flatter network simplifies the task of integrating these systems into an existing network. It is much more flexible as strict port plans aren’t required, and network switches dynamically and automatically apply port security profiles based on the connected device characteristics or authorization. Finally the strategy is pretty straightforward to overlay onto the existing network.
Combining Next Generation firewalls with 802.1x port authentication and port security provides granular control over endpoint devices and what they can do on a network. Consider the following Diagram;
Micro-Segmentation Example
On connection, the network switch authenticates the device via its MAC Address. The directory server responds with authorization privileges and a reference to a pre-configured port profile. The port profile, once applied, only permits the device to communicate between it’s own port and the switch’s uplink port, effectively isolating the device from all other hosts. The firewall performs DPI on all communication and permits the device to talk to its centrally located controller in the data center, and/or a cloud application service. The same strategy may be applied to isolate controllers and consoles in the data center from each other and the core network services.
If a large scale network already has good orchestration tools, this design shouldn’t be difficult to manage. The edge switch should be mostly self managing, and the only input required by ops, would be initial registration of a new device. It effectively allows users, network devices and IofT type devices all to co-exist on the same network without the need to create complex and segmented IP networks with the corresponding complexity.
Micro-segementation could be a very effective and efficient solution in the right environment.
