Part One: Mistaking VLANs for Micro-Segmentation Solutions

 

Why do bad things happen to good segmentation projects?

We see it all the time; companies start with the noble notion to successfully implement hardened LAN and WAN micro-segmentation for their devices, networks, or environments. It really shouldn’t be all that much to ask. After all, micro-segmentation is what helps a CIO or CISO sleep at night. It lets us rest peacefully knowing that the networks we’re responsible for are tightly secured, yet still highly accessible to the right users.

Most micro-segmentation projects start with positive vibes filling the air of conference rooms and remote locations, spanning company-wide. Everybody’s onboard with the goal of making their networks more secure and easier to connect. Then, two nefarious criminals to IT productivity everywhere begin to rear their ugly heads: cost and complexity. Suddenly, those vibes aren’t quite as positive anymore.

When bad things happen to good segmentation projects, it’s usually because cost and complexity become insurmountable. Thankfully, however, they’re no longer necessary evils, yet we’ve discovered that IT professionals across the industry still make some frighteningly common, but costly mistakes that need to be reconsidered.

Welcome to Part One of a five-blog series detailing these mistakes and how to avoid them. This first discussion examines the mistake of using VLANs for micro-segmentation, and how to avoid it.

Mistake #1: Using VLANs as a Segmentation Solution

Don’t incorrectly associate Virtual Local Area Networks (VLANs) for a simple form of micro-segmentation. Sure, VLAN hopping exploits like Double Tagging and Switch Spoofing can be prevented with some simple changes to default switch settings, but it’s also one more thing for a potentially already overworked administration to forget.

Even when an especially sharp administrator does make the necessary adjustments, these changes tend to impose limitations on particularly useful network functions like trunking. Furthermore, if settings aren’t applied correctly, new unforeseen attack vectors can open up.

Some administrators may be okay with assuming that level of risk and network limitations, but that’s when an even larger problem presents itself, which is effectively managing a VLAN at scale.

Certainly, a limited number of VLANs can be created on a few switches simply enough to implement some level of segmentation. The problem arises when VLANs need to be created and maintained for hundreds or thousands of distributed physical and virtual switches. That creates a complexity that no administrator wants to deal with or is even capable of implementing.

How to Avoid This Mistake

Avoiding this mistake really comes down to one easy-to-follow instruction:

Don’t use VLAN dependencies as an integral aspect of your segmentation project.

If the proposed solution involves VLANs to enforce access control or requires overly sophisticated interfaces or modifications to existing infrastructure, it’s best to seek a less complex, more cost-effective solution.

Proposing a VLAN based micro-segmentation project is most likely doomed for failure. The idea has merit, but ultimately the added complexity, associated cost, and potential risks involved add up to a low probability for success.

A Well-Tempered Solution

Why deal with the pitfalls of using VLANs for micro-segmentation when a vastly superior option is already available.

Simple, secure, and fast micro-segmentation can be obtained by any organization, and it doesn’t need to be cost-prohibitive either. Contact us at Tempered Networks to fully customize a micro-segmentation project for your organization right down to the device level.

We can implement an Identity Defined Networking (IDN) solution, powered by the revolutionary Host Identity Protocol (HIP) that secures devices based on identity, not addresses, so locations become irrelevant, which gives administrators a level of mobility and flexibility that’s unavailable anywhere else. Bad things no longer need to happen to good segmentation projects.

Continue reading...

0 Comments
Friday, February 9, 2018 By Erik Giesa