Thomas Kee profile picture

Thomas Kee

Principal Engineer

Tuesday, May 8, 2018

It is hard to find a modern-day network today that can’t be labeled, tagged, or classified. The need to segment your network traffic and isolate your audience from harm while offering a useful service that can be easily deployed and managed is a daunting task.

The US government has spent vast resources developing best practices in network security for protecting the national power grid by applying segmentation and segregation. Here is what they have to say:

“Segmentation establishes security domains, or enclaves, that are typically defined as being managed by the same authority, enforcing the same policy, and having a uniform level of trust […].

The aim of network segmentation and segregation is to minimize access to sensitive information for those systems and people who don’t need it while ensuring that the organization can continue to operate effectively.”

Segments not properly segregated will be compromised when network breaches occur. This is sometimes referred to as Tootsie Pop Security, meaning “…security of most organizations is like a Tootsie Pop. Hard and crunchy on the outside, soft and chewy on the inside. One bite and you easily get to the yummy center.”

Network segmentation and resource isolation are important concepts used for network security and the first thing most operators implement to limit breaches from propagating further. Recent innovations in networking have made the tools for segmentation even easier to implement, deploy, and manage.

Why is network segmentation creating so much buzz today?

The main thing that has changed is the fact we have access to more of the software that makes things work and low-cost platforms to deploy them on, which allows network segmentation innovations to happen faster. For the most part data traffic and network security have also not kept up with innovations in Software Defined Networking (SDN), making this much easier.

SDN introduces the notion that data plane and control plane should be separated. Virtual networks have made it possible to create network segments that are completely disassociated from the underlying network equipment. These two concepts introduce the concept of Software Defined Segmentation (SDS).

Software Defined Segments are easier to use and can be created dynamically and managed using a rich set of APIs that can be integrated directly into deployed services. SDS allows network elements to be classified into policy groups whose members can be identified, trusted, and authorized to establish peer connections with path assurances, which include network cloaking and military grade encryption. These software segments also allow you to administratively connect using APIs to monitor events and gain visibility by collecting important metrics previously difficult to obtain.

Critical infrastructure needs a security model that has built-in and strong identity associations for connection authorization. Any network segmentation, be it nano, micro, or mondo, starts with a rock solid verifiable identity.

Identity based cryptography is a key component in trusting the associations of the connections between devices, regardless of your network topology, and it is a necessary layer in a multi-layer network approach.

Our unique network segmentation software can deliver a secure, private, full-mesh Ethernet VPLS service and our customers are protecting their critical assets with our platforms today.