The Network is Key to Securing the Everywhere Perimeter

In light of surging ransomware cases and recent high-profile cyberattacks like those on SolarWinds, Colonial Pipeline, and meat supplier JBS, enterprise security teams may fall into the trap of thinking, “more defenses are better.” They implement an arsenal of point solutions, hoping their bases will be covered. The reality is, an organization can spend as much as they can afford and add as many tools as they want to their portfolio–but if the underlying network infrastructure is not secure, these tools may not make a difference.

The way businesses often approach network security hasn’t kept pace with the demands of the increasingly distributed workforce or attacker sophistication. In the past, the hard edges of the traditional firewall were enough to protect an organization against outside access. But with today’s highly distributed workforce and the proliferation of IoT and personal devices, the traditional perimeter is obsolete. It’s nearly impossible to identify a rigid perimeter, with connections spanning the campus edge, user devices, IoT devices and both public and private clouds.

Sufficiently defending an “everywhere perimeter” calls for fundamentally new capabilities within today’s security model. Organizations must find new ways to tackle the increasingly tedious task of securely onboarding thousands of devices, servers, users and applications to the network while ensuring safe transport of data, protection of customer data and compliance with regulations.

The network is the key to securing the everywhere perimeter. Here are three ways to turn your network into your greatest cybersecurity asset.

Segment Networks to Protect Critical Systems

It’s important for organizations to take a holistic approach to protecting critical systems and data, which starts with the ability to isolate traffic belonging to different applications. Effective network segmentation enables an organization to deliver separate virtual networks, each tuned to meet specific requirements. The ability to separate mission-critical applications and protect confidential data is especially necessary as the attack surface expands across the distributed enterprise.

With hyper-segmentation, organizations can establish borders to defend against unauthorized lateral movement, reduce their attack profile, deliver highly effective breach isolation, improve the effectiveness of anomaly scanning and greatly bolster the value of specialist security appliances.

Outsmart Hackers with Stealth Networking

Hyper-segmentation should be combined with ethernet-based fabric. Traditional, IP-based fabric is a mainstay in the enterprise, but it’s vulnerable to attackers who can easily invade and move laterally across the network once they’re in. On the contrary, ethernet-based fabric doesn’t use IP underlays, limiting the visibility of the network and reducing attack opportunities.

Making the network “dark” to potential attackers who would otherwise penetrate and move laterally is known as “stealth networking.” What hackers cannot see, they can’t attack. Additionally, this method of using provider backbone bridges (PBB or mac-in-mac) over Ethernet has proven to offer absolute network segmentation, which has been validated by several penetration testbeds over numerous years. As a result, the compromise is contained within the given hyper-segment, or virtual service networks (VSNs), and there’s no possibility of “hopping” between these VSNs.

Ensure Network Elasticity

Network elasticity is a critical enabler in securing the everywhere perimeter. An elastic hyper-segment automatically stretches services to the edge, only as required and only for the duration of a specific application session. As workplaces start to move to a hybrid work model—where employees split their time between home or remote work and the office—users are constantly connecting and disconnecting from the enterprise network. Network elasticity allows services to extend and retract based on current needs.

As applications terminate or endpoint devices disconnect, the redundant networking services retract from the edge. By deleting a network configuration that isn’t required anymore, back door entry points to the network are eliminated, helping prevent hackers from infiltrating.

Defense Starts with Your Foundation

With the high volume of sophisticated attacks enterprises are facing and IT environments complicated by the shift to a distributed workforce, it’s easy to be pessimistic about enterprise cybersecurity. But there’s no reason to be defeatist. Contrary to what many security vendors will try to tell you, strong cybersecurity isn’t entirely dependent on the latest bells and whistles, more tools or more platforms. Though it feels like new security categories emerge every month (XDR, SOAR, IDS, UEBA, etc.), remember that effective security starts at the foundation— your network. By ensuring your network is protected, you’re setting up your enterprise for success and security.

Avatar photo

Ed Koehler

Ed Koehler is a Distinguished Principal Security Engineer in the Office of CTO at Extreme Networks. He has been in the communications and networking industry for 20+ years. Ten of those years he spent as a Senior Technology Architect for R&D within the CTO division of Nortel. His area specialties are, IPv6, Multicast, Digital Identity and Network Security as well as Voice and Video communications and Data Science. He has several patents in these areas. Ed joined with Extreme (via Avaya) in August of 2010 as a Senior Data Solutions Architect specializing in Virtualized Data Centers and associated technologies including compute and storage. Currently, he is serving this role at the Global geography level as a Distinguished Principal Engineer. He is an IEEE member and was instrumental in the development of some of the core technology used in IEEE 802.1aq “Shortest Path Bridging.”

ed-koehler has 1 posts and counting.See all posts by ed-koehler