If we agree that there are no silver bullets in security management, then we must accept that we must create a multilayered approach to both our network underlay as well as our overlays.  Network segmentation acts as the first line of defense on mitigating network breaches.

Let’s take a moment and examine current uses of network segmentation and segregation:

  • Helps limit the propagation of a threats and breaches.
  • Helps isolate workloads.
  • Makes it easier for compliance and audits such as PCI-DSS and HIPAA.

However, segmentation is a broad term and not really new. We’ve had the ability to segment our network traffic for years using ACLs and VLANs.

Firewalls or ACLs are used to manage device access on your network, and are still important tools [for blacklisting and whitelisting] in “a trust no one” policy. One issues is that IPtables still drive much of firewalling and routing in projects like Openstack, and is still the most predominant way of applying segmentation.  But I have never heard anyone say they are easy work with, and they are even harder to debug when something goes wrong.

Virtual local area networks (VLAN's) have been around for decades now, and are still a useful way to segment networks (unless you want to give everyone their own). However, VLANs are limited in certain areas, especially since they are unable to protect privileged information and require many man-hours to setup and manage.
Another industry buzz-term is ‘defense-in-depth’. This is simply the idea of creating a multilayered approach to improve security, which is considered industry best-practices. However, while adding more security layers can help minimize breaches, without flexible network management business operations will be hampered. To prevent this, network segmentation and segregation tools should provide:

  • A centralized controller making it easier to apply and manage policies.
  • End-to-end encryption with identity-based segmentation over an existing network, without affecting any elements in the path.
  • Segmentation that allows operators to create policies based on location, network topologies (peer to peer vs. hub and spoke), bandwidth allocation, or various packet transformations services (video transcoding or threat signature scanning).

A new approach to network segmentation
Tempered Networks offers a way of segmenting your network down to device or service level. We refer to this as micro-segmentation, which consists of these components:

Virtual private LAN service (VPLS) adds encryption to your network segment, while concealing the data traffic.  Furthermore, VPLS makes it possible for endpoints to create virtual network connections over the physical network between geographically disparate sites making it appear like all members and services are on the same network segment (regardless of location). These encrypted segments are further partitioned by a host of new tunneling protocols that wrap a UDP packet around our L2 frame so we can break that 4K labeling barrier and allowing finer grained partitions. This new form of network segmentation is called tunneling or overlays.

Software defined segmentation (SDS) is a software-defined network (SDN) tool used to segment network elements. These elements can be identified and trusted, and therefore authorized to establish peer connections with path assurances which include network cloaking and military grade encryption. These software segments allow you to dynamically manage your network using APIs, enabling greater control and visibility.

Moving forward

All these tools are still needed for creating a multi-layered security approach to network segmentation. The challenge is finding the right balance in terms of cost, control and security, and Tempered Networks can help.


Wednesday, February 10, 2016 By Thomas Kee