How to Avoid These Five Common, but Costly Micro-Segmentation Mistakes - Part 2

Erik Giesa

Mistake #2: ACLs–A set of rules that are made to be broken


There’s an old saying that confidently declares, “Rules are made to be broken.” It’s mostly attributed to American five-star general and hero of WW II, Douglas MacArthur. In the right context, it’s meant to be a motivational message, trying to inspire people to think outside the box and not be afraid to chart their own course. When misinterpreted, especially when referring to solutions for network security, the old adage can be devastating.

Consider the concept of an access control list (ACL). It’s basically a list of rules that decide which users and system processes can have access to which areas of your network. Using a forever increasing number of ACLs seems like a workable course of action on the surface, but after further investigation, you’ll realize they have no place in your organization as a solution to micro-segmentation needs.

In this case, hackers and others around the world with malicious intent view ACLs as the very symbol of a rule that’s made to be broken. Cyber criminals will make it their destiny to expose every loophole within an ACL through a flawed enforcement methodology to literally break your network.

Micro-Segmentation Mistake #2: ACLs

The biggest problem with using ACLs for micro-segmentation is that their base enforcement attribute uses insecure and inherently flawed IP and/or MAC addresses to grant access to the network. It’s the same fundamental flaw that exists with common TCP/IP networking, and it’s just not an acceptable level of risk for any organization to assume.

ACLs also involve an unfortunate abundance of cascading dependencies, which require a high-level of constant care and elite expertise from a superiorly skilled engineer to properly implement. This amounts to an even higher level of complexity than what’s involved with VLAN applications.

At their worst, ACLs form a misguided attempt at micro-segmentation that can amount to thousands of firewalls, exponentially increased switches and routers, and tens of thousands of new rules to follow. That’s way too much complexity for any IT or OT team to handle.

A Well-Tempered Solution

Who needs tens of thousands of rules when you can have real hardened WAN and LAN micro-segmentation via whitelisted devices, across a private overlay network that’s invisible to hackers? A well-Tempered solution to micro-segmentation eliminates the inherent flaw of address-defined networking by granting access according to identity, not address. Not only does this provide unprecedented security to your networks, but it also provides unlimited mobility.

With network security that’s unbound by the chains of TCP/IP, you’re free to move devices or entire networks anywhere they’re needed without worrying about hackers taking advantage of a weakened perimeter.

Contact us at Tempered Networks to fully customize a state-of-the-art micro-segmentation solution that provides ironclad security and limitless mobility for all your devices and networks. Let the rule-makers and rule-breakers continue fighting while you continue networking.