How to Segment a Network?
Enterprise internal networks are used to flat and open; an internal host can access almost all the other hosts on the network. With increasing security control and performance requirements, the modern environment breaks them into small groups or zones based on different business needs or functional criteria and enforces rules to limit access between them. This is called Network Segmentation.
A successful Network Segmentation can significantly improve network performance, reduce cyber-attack risk and protect critical assets. It usually involves switching (Layer 2), routing (Layer 3), and firewall (Layer 4) configuration. Typically it needs to go through 3 steps.
- Initial Design – Define business requirements, identify device, data, application, user and traffic flow.
- Implementation and Deployment – divide network into small parts by creating VLANs, assigning different IP subnets, restricting inter-segment access using firewall rules.
- Ongoing operation, monitoring and maintenance – Ensure it meets all the requirements, and adopt any changes necessary in a prompt fashion, and monitor any abnormal activities.
Network Segmentation Key Challenges and Considerations
Network Segmentation could be challenging and complex. Many road blockers are preventing a successful network segmentation rollout. Here are a few typical obstacles people need to overcome in each phase.
1. Network Design
- inaccurate device inventory and fingerprinting, which leads to missing devices and incorrect grouping.
- incomplete application and traffic flow identification, which leads to traffic blocking
- insufficient user behavior analysis and information gathering
2. Implementation and Deployment
- manual work and human mistake can easily cause misconfiguration and network outages, which may interrupt mission critical business operations
3. Ongoing operation, monitoring and maintenance
- constant network changes may introduce human error
- inadvertent monitoring may overlook critical network events or incidents
Watch Cisco explanatory video about Network Segmentation.
How to Simplify and Automate Network Segmentation?
Armis brings Network Segmentation to a brand new era by greatly simplifying and automating the entire process.
Armis can provide customers with a comprehensive and accurate asset inventory list, including traditional managed devices and unmanaged IoT devices. Each device is identified with detailed information such as make, model, OS, service, the application running, IP connection, traffic flow, user information, etc. This can significantly expedite the design phase.
Leveraging 3rd party tool integration (Network Access Control, firewall, etc.), Armis can automate the change needed to accomplish the network segmentation on the infrastructure, such as switch port configuration, firewall rule, VLAN assignment, etc.
Armis can also monitor the environment and alert any anomaly and malicious activities. Armis can kick off any Security orchestration workflows automatically to enforce or adopt any changes. No human intervention is required.