400 billion dollars! That’s what Lloyd’s of London calculates as the cost of network breaches last year.
Experts agree that a strong perimeter defense is no longer enough. Threat actors can bypass firewalls and evade intrusion detection systems. Once inside they are free to roam, undetected for days, weeks or even months, while they search for vulnerabilities to exploit, gaining escalated privileges so they can abscond with valuable data. What we need is a new strategy!
Segmentation
Savvy network engineers and security experts have used segmentation since the early 1980s to partition networks using vLANS and extensive use of ACLS (Access Control Lists). If done correctly, segmentation is a powerful way to isolate traffic and slow down or stop infiltrators. But experts say that traditional segmentation is not granular or scalable enough to keep up with today’s workflows.
Micro-segmentation
Software defined networking (SDN) is a new paradigm that gives us the flexibility to segment networks more than we ever thought possible. Using micro-segmentation, we can dynamically isolate individual workloads as granular as a specific virtual machine or even applications. All without having to create VLANs or ACLs.
There is a central tenet in micro-segmentation that bucks conventional wisdom. It’s called ubiquity. Traditionally, we created different security levels of authorization (LOA) for different applications. Meaning someone with a library card doesn’t need the same security as someone getting Medicaid. But conventional wisdom no longer holds true in a world where threat actors are on the inside and can easily escalate their privileges. Ubiquity means that you always start with the highest level of security possible and apply that to everything.
Exponentially Increasing End-Points
Segmentation is a good thing if properly applied, but micro-segmentation is more granular, dynamic, and leverages SDN to segment east-west traffic without being tedious and error prone. Micro-segmentation is designed to handle today’s dynamic data centers and internet at scale. The only problem is that end-points are increasing exponentially and threat actors use malware, phishing and every trick imaginable to gain control of them. It’s no longer just desktops and laptops that are vulnerabilities; BYOD smart phones and tablets are everywhere.
Hyper-segmentation
I asked Randy Cross, product manager at Avaya to tell me about their Hyper-segmentation. He explained that it works from the edge in. Rather than creating network segments for specific applications or servers, their solution automatically creates new segments for each endpoint. Every device has its own fully isolated path to a specific application or server.
Public or private, the only thing that a user sees is their own individual traffic to that specific application. Everything else on the network is invisible to that user. If an attacker were to compromise the session, they would only see what that user sees on that completely isolated segment.
Flying First Class
Randy explained to me that hyper-segmentation was like having your own private Learjet. Rather than taking multiple hops across the country, you get on your own plane and fly direct to your destination. No one can see where you are going, and you see no one else on your way.
Image courtesy of Avaya
Every time a device attaches to the network, a profile tells the fabric how to connect it. A dedicated pathway is setup from the device to the destination application. This pathway is a fully isolated segment. When the session is done, the pathway is automatically torn down, but the profile of the device is retained. When the device reconnects from the same or a different location, a new segment is automatically created.
Open Network Adapter (ONA)
Avaya automatically connects desktop, laptops, tablets and smart phones, but to provide total protection they created a special adapter for unique endpoints. Randy explained that a small adapter (about the size of a deck of cards) allows special devices like medical imaging equipment to work automatically with an Open vSwitch. Once a device is fitted with an ONA adapter, a session can be setup, torn-down, and re-stablished automatically even when moved to a new location.
Conclusion
Network breaches have become the greatest threat against our nation. Since a strong perimeter is no longer effective at keeping out cyber attackers, we need a new approach to further secure our networks. New segmentation tools and SDN give network administrators a lot of options to choose from. Micro-segmentation is a great option to better segment your data center, and hyper-segmentation provides options to isolate traffic down to the end-point. These new tools are our best bet for delivering on the promise of ‘identity as the new perimeter.’
