Automated Network Segmentation is a Security Service Away
Network segmentation is a practice as old as Ethernet. Though it was originally a practice to limit broadcast domains, as the number of connected devices and environments grew, the applicability of segmentation became a staple practice for security, as well. However, with environments adding or removing hundreds to thousands of devices daily in some organizations, the feasibility and technical “how-to” became challenging. With this in mind, device auto-classification is fast becoming a decision criteria in organizations for their infrastructure.
This is the process by which a new device is added (such as an IP camera) and sensors automatically detect, run heuristics against the traffic, and determine what type of a device it is, as well as take note of the manufacturer and the software version it’s running. From there, it’s a simple lookup and network assignment process to ensure it is in a camera-only network segment. The degrees of separation are few and far between what network operations logically need, and what security or security context services possess today.
Context is Key for Network Security
Knowing who is at your door before you open it is a good security practice in the physical world. This has driven the rise in physical security cameras and other cool technology innovations to help people better protect themselves and their property. This same idea applies to networking and network security—it has always been understood that visibility is critical. After all, you generally cannot stop a threat you cannot see or do not know exists. It starts with knowing what is connected, where and how it should behave. To help with this, there has been a rise in discovery and identification technologies over the last several years. There are many approaches, but in short, the technology identifies a device or application, including such details as manufacturer, device model (if applicable) and other pertinent details through analysis of packets and network context. Now, what if you were able to automatically correlate this device context with a prescriptive network segment assignment based on the type of device or traffic? The benefits could be considerable, wouldn’t you say?
Segmentation is a Best Practice, But…
Network segmentation has long been a best practice for network architectures. It aids in traffic experience management, security by segmentation and more. While manually assigning these to specific segments was the approach used for years, (VLAN management, anyone?) the task has often been a laborious one. Not to mention the hassle if the organization changes the policy or segments in which the devices reside; the administrative efforts to accommodate these changes are considerable, as they are manual, in many cases. What if, instead, the context and insights that are already captured for the purposes of network security were applied to network operations and, in so doing, that eased the network and security operations teams’ burden (or at least reduced the mind-numbing role of device segment assignments)?
With an accurate discovery and asset database coupled with device context awareness, an organization could then readily assign a device via a network location policy, or a network security policy, depending on which team has policy ownership of the network locations. Whether by VLANs, microsegmentation or other logical network mapping approach, the benefit of isolating devices or technologies serves many purposes. Asset discovery and inventory tool companies provide the map and context identification, while others provide the specifics of device and application identification. From there, either by way of a script or via a built-in management policy engine, organizations can take advantage of this concept of automatic assignment according to the organization’s own needs and requirements.
Automated Hygiene Processes = Secure Outcomes
So, the benefits of this approach become apparent at this point. For security, network segmentation helps in reducing the potential security attack surface for an organization by limiting the devices that can communicate with one another (ex: cameras really should not be trying to connect to a file server). This makes it easier to spot anomalous behavior and ideally, allows for more aggressive network policies to be applied that are ‘just sufficient’ for the technology to work (i.e., limiting the open ports permitted for a specific segment to just those required which inhibits the use of remote access toolkits).
However, for those who love manual segmentation by way of VLANs and device configurations, there will always be the command line interface (CLI). Much to the chagrin of colleagues, I, too, refuse to give up mechanical keyboards.
