Network segmentation - know your onions

26 July 2017

I've already written a bit about segregating enterprise networks, and about the new technologies that are making this easier and more effective. As Ideal's solution architect for networks it's something I get asked about a lot, so I thought it might be helpful to look at this from the customer point of view. You can probably boil it down to three questions: Do I need to segregate?, What do I need to segregate? and How do I segregate?

Do I need to segregate?

There are plenty of use cases for doing so, and most of them centre around security - limiting the access that a group of users or devices have to systems or information, or restricting the damage that can be done by rogue software. It's pretty much standard practice now to separate off payment systems for PCI DSS compliance, for example. A more extreme scenario I've mentioned before would be a campus environment shared by two unrelated organisations - modern networks give us the power to host both on the same infrastructure and put a virtual firebreak between them at every level.

Something that's particularly under the spotlight in the light of WannaCry is the use of additional measures to help defeat ransomware attacks. Even if your initial defences are compromised, malware propagation traffic can be specifically picked out and blocked as it traverses the segregated network fabric. This can effectively contain the outbreak to a single host, or group of hosts, before any manual intervention has taken place. You can see how this works below, or find more detail in Cisco's backgrounder.

 

Segmented_attack_containment.png

 

What do I need to segregate?

Knowing why you're segregating leads you to this. If you are trying to get two completely separate organisations to work on the same infrastructure, you need to segregate everything. If you're just segregating off one or more applications in your datacentre, it might be as simple as reconfiguring your virtual network environment, or introducing some additional firewalls or controls to it. For most the need will fall somewhere between these extremes.

How do I segregate?

As I see it, there are probably four effective ways to segregate all or some network services in the typical enterprise IT estate. Which one makes the most sense depends on the answers to the above two questions, but also on considerations such as what the current hardware and virtual infrastructure is: if you're starting in the wrong place, not everything is going to be on the table.

1) The Big Firewall. Servers and endpoints are re-addressed and put behind lots of different interfaces (one for each service type) on a powerful firewall such as the Palo Alto Networks 5000 series. The firewall is trunked to your core network with 10 Gigabit Ethernet (10GbE) or similar, and the core becomes a layer-2 device.

This approach is fine to segregate major network functions, and it could avoid the need to learn any new technology, but it really limits your day-to-day flexibility. For most organisations it would probably mean changing a great deal of IP addressing.

2) VMware NSX (network virtualisation). Essentially NSX transforms your VMware environment into a flexible networking machine, with firewall, load-balancing, NAT and other functions available via the VMware vSphere interface.

Again this is suited to segregating network applications. The Palo Alto Networks virtual firewall can also be inserted into an NSX environment, adding more threat-protection functionality between (east-west) and into (north-south) the virtual machines. My colleague Daren Vallyon is the expert here; he's just successfully qualified Ideal for the VMware Network Virtualisation competency.

3) Cisco Application-Centric Infrastructure. ACI uses specific Cisco hardware switches and a special version of the Cisco Nexus 1000V virtual switch for VMware vSphere.

This approach is similar to using VMware NSX and it provides similar capabilities, but it does require a whole new interface. Also, for many enterprises this might require switch upgrades, but it does have the benefit of dealing with physical servers quite well.

4) Cisco TrustSec. TrustSec provides dynamic endpoint identification and classification using Security Group Tags (SGTs), controlled with the Cisco Identity Services Engine (ISE). A matrix of permitted SGT-to-SGT communication is built on ISE, then pushed down to the core switches which enforce the security policy.

This is an incredibly powerful approach: you can use TrustSec to identify any user at the edge of the network, then enforce security policy throughout. Supported Cisco switches are a requirement, though: edge switches such as the Catalyst 3750 and core switches such as the Catalyst 6500 range will support SGT enforcement. To extend segregation into the VMware environment you again need the Nexus 1000V virtual switch, with VMware Enterprise Plus licensing as a prerequisite.

Finding - and mastering - the right solution

To summarise the four options, VMware NSX and Cisco ACI both lend themselves to server-centric segregation, which still leaves the challenge of segmenting the campus. On the other hand, the Big Firewall option means carving up your servers or network into silos to some extent, which could be a problem if you're trying to build a dynamic environment. Using TrustSec is perhaps not as robust and powerful as NSX in the data centre, but it's really the only way to extend segregation into user and endpoint security. As such, it's the only one to offer an end-to-end solution for segregating the network.

In practice we're not usually talking about these technologies in isolation. To meet our customers' data centre requirements we'd typically explore a solution in NSX, whereas TrustSec would be the ideal across the campus.

Of course, the challenge with any form of segregation is that you're putting something in the way of all your network services. Whatever the approach, you need to plan and implement it carefully, or you risk taking them all down.

 

Need further advice? Why not get in touch. We've got the relevant Cisco, Palo Alto Networks, VMware and other competencies to design and implement effective network segregation using any of the above approaches. More importantly, we've the experience and insight to know which will best meet your business needs.


Header image: Paolo Trabattoni/Flickr, Creative Commons