Kevin Taggart | January 2, 2019
This is the final post in our ongoing, deep dive series on the subject of segmentation. Each post has been written by a member of Arraya’s technical or tactical teams, focusing on a specific piece of this extremely broad, highly transformational, topic.
Does your network need “more” segmentation? The answer is most likely “yes.” Even if you have access to most other corporate assets, executive compensation plans are usually not available for just anyone to see. But, what protection are you providing for your company’s data? Camera / video data, physical security and building access systems, all house employee personal information. These systems can and do become compromised. They are some of the last devices to be moved to the cloud and its promise of protection. With some basic filtering and segmentation, a considerable amount of risk can be mitigated. We can take this process and replicate it over a Cisco-backed wide area network. While we often have strong policies and procedures at corporate headquarters, remote locations often don’t have the same budget or mindset. These remote locations often generate a significant – and overlooked – risk.
Software defined or “SD” WAN doesn’t bring us the ability to filter corporate sites. Service providers have used segmentation and network filtering for as long as they have been around. This is no simple feat. There is an entire CCIE discipline dedicated to the complexity of popping labels, VRF leaking, L3VPN and carrier based Ethernet configuration. By choosing the right SD-WAN provider, you can get some of these features without the need for your own team of CCIEs.
Architects build today’s networks using templates and address pools instead of console cables and notepads. This allows us to keep our deployments, security, and design consistent. In case of a lost or compromised device, we can quickly revoke its certificate(s) and remove the device from the network.
There are essentially three key segmentation building blocks.
Building Block #1: Classification
This is the first stage of segmentation. On the WAN edge, admins traditionally did this with layer 4 access-list matching on an IP or port. This evolved to NBAR, Cisco’s technology which can work to identify traffic dynamically instead of using static lists of ports. The current Cisco NBAR2 technology can recognize over a thousand applications. Protocol packs apply incremental “hitless” updates identifying today’s plain text and encrypted applications with no need for decryption.
Recently, new NBAR “groups” and “attributes” have made network admins’ lives easier. A high level list of “traffic classes,” such as VOIP-telephony, real-time-interactive, network-control and bulk data, are created and updated by default. The network administrator can additionally apply an attribute called “business-relevance.” This helps mark down or reclassify applications like Apple FaceTime, which identifies itself as real-time traffic but is most likely not relevant for work time at your job.
Using these classification abilities, we can match traffic for guest, contractor, and employees and then “tag” the traffic for appropriate filtering. Depending on the environment, this may be Cisco SGT, VRF or a DSCP value. This will come up again further down the road when enforcing filtering.
Building Block #2: Filtering
The next step in the process is to determine what we want to filter and segment. Easy use cases are for guests and unmanaged systems. Filter or segment anything your organization can’t manage on network. This isn’t always easy or even possible. By filtering traffic from unprotected locations, we can reduce risk and take more of a “Whitelist” approach and explicitly permit traffic that is required.
Just about every SD WAN solution gives you the ability to segment and separate traffic out of the box. “Leaking” and filtering traffic is possible with most SD WAN solutions. However, many organizations prefer to filter this traffic through traditional firewalls. This keeps filtering of security zones consistent across an organization specifically for those with existing security standards and approved methods or procedures.
Building Block #3: Validation / Reporting
The final piece of any segmentation project is validation and reporting. IT should document, validate and audit all high level policies. Adding or editing security zones necessitates additional testing and validation to ensure conformance.
To learn more about segmentation and its role in today’s IT landscape, reach out to our team of experts by visiting: https://www.arrayasolutions.com/contact-us/.