As computer crime evolves, so must computer networking. Network security approaches are due for a major revamp—so say goodbye to network segmentation and hello to microsegmentation. Digital barriers slow hackers down and improve network security.
It isn’t enough to put up a ring of iron around your network to protect it from outside intruders if you don’t protect critical assets on the inside, too. Installing walls between different parts of the internal network stops hackers from jumping from system to system if they gain access. This concept is known as segmentation, and security professionals have practised it for decades.
In the past, companies have segmented networks by configuring their switches, routers, and firewalls into virtual LANs (VLANs). This method cordons off sensitive areas, such as human resources databases or computers used by the finance team. It can also compartmentalize public-facing systems within a company, such as wireless networks for visitors, or create a demilitarized zone where sensitive data shouldn’t go.
A lack of segmentation can prove devastating to your network’s security. When the US Office of Personnel Management was hacked in 2015, losing the personal data of nearly 22 million people, the US Congress quickly ordered an investigation. When its report finally came out, they found attackers had easily navigated the network because it hadn’t been properly segmented.
Direct traffic in all directions
Segmentation has been around for a long time as a concept, but corporate network traffic has become more complicated in the interim. Traffic travelling between the data centre and external users is known as north-south traffic, whereas traffic travelling within the data centre or between data centres is known as east-west traffic.
East-west traffic has grown exponentially since segmentation was introduced, especially as the data centre environment has been virtualized and more servers and applications have appeared. According to Cisco’s Global Cloud Index, east-west packets will represent 86 percent of total data centre traffic by 2020. This is the traffic in which attackers hide as they silently jump from one computer to another, infecting your machines.
The sheer volume of different IP addresses and rules companies must maintain inside those firewalls and routers is overwhelming. And altering them to cope with changing network configurations and business conditions is prohibitively difficult. Microsegmentation offers a new way to partition different systems and maintain network security in an increasingly complex environment. Instead of configuring broad network segments in hardware, microsegmentation abstracts this configuration into software. It’s a function of software-defined networking (SDN), in which key aspects of network control are moved away from networking hardware and managed from a central point.
Microsegmentation also enables administrators to make those network segments smaller, moving their boundaries closer to the systems they protect, which is good for network security. Far more network segments can now exist, protecting internal assets in a more granular manner. It effectively turns every virtual machine running on a network into its own individual segment, protecting it with its own firewall.
The other advantage is that microsegmentation can make decisions based on flexible parameters. A system may choose to block access to an asset based on the source of incoming traffic, its type, its content, or even a mixture of all these factors. This makes it possible to configure complex access policies reflecting network security rules specific to an organization.
Wear hackers down
All of this makes it far more difficult for attackers to ply their trade. In a typical intrusion, an attacker will first gain access to a system by infecting an endpoint with malware or stealing a user’s account data. From there, they will silently explore each segment of the network, looking for ports that have been left open and using them to jump from one segment to another.
In hacker parlance, this is known as moving laterally through the network. In an unsegmented network, lateral movement is laughably easy. In a network using broad VLAN-style segmentation, it’s more difficult but still doable—given enough time. Because attackers often silently sit on networks for weeks or even months, they eventually traverse the network to the target.
In a microsegmented network, every new service or application represents another challenge. It throws up another barrier for hackers and forces them to spend more time and effort trying to pick their way through the network infrastructure, making the cost of compromise far higher. Modern computing environments are a battlefield on which attackers and defenders constantly fight.
This is not a binary conflict where a clear winner will emerge—it’s a constant tussle. Defenders must use every tool and technique in their arsenals to bolster network security. Microsegmentation, with its innate ability to slow attackers to a crawl, is a powerful weapon in this fight.