Segmentation Done Right Part 1 of 3
When I was in middle school standing in the cafeteria lunch line, there was always that feeling of nervousness before the spaghetti or tuna casserole(or aloo tikka masala if you are familiar with the Indian school lunch trays) hit my lunch tray with its unique thud. After the entrée, I would shuffle my feet to the left to receive my overcooked peas and carrots. Last but not least was a big scoop of extra syrupy canned peaches. Ah, the joys of being in 7th grade. The good thing about public school lunch was that at least the lunch tray was compartmentalized and my noodles only caught a little bit of that extra sugary-extra sweet peach syrup. Segmentation, what a great idea.
Contain the Damage
Reminiscing about my school noodles made me think about the benefits of network segmentation which is the division of a network into smaller more manageable groups. These zones can be separated from each other with controls in between to help control and keep zones safe and secure. If for example, there was a cyberattack and a device is compromised, the segmentation will keep the damage from spreading as the damage is confined to a specific zone or segment. Think blast radius control. Unusual lateral side to side movement is also kept in check when a network is properly segmented.
It’s Recommended
It sounds simple enough, separate the network into its own compartment to limit the spillover effect and zones can readily consist of VLAN/subnets, groups or segments, hence the name. In terms of application, one can deploy network segmentation using existing network infrastructure or even via deploying new next-generation firewalls into specific zones. The National Institute of Standards and Technology (NIST) in its framework for zero trust architecture recommends segmentation for enhanced identity governance.
Factors to Consider
Getting started with segmentation takes a little bit of thought. How big will the zones be? How many devices of similar types would be in each zone? What about the regulatory environment? The regulatory side can have a say in how things are portioned as well. For example, if your business deals with payments the PCI-DSS standard will state a clear demarcation between payment card authorization and point of sale. In hospitals, one would want to keep life-saving equipment separated from the IT devices.
So how does one begin and are segments rigid in a “set it and forget it” way? How can segments evolve as network requirements change? How is it going to adapt to changing business policies? It helps to start off the right way with a segmentation project by considering the various enterprise departments and the level of fine-grained control required. Furthermore, consider the zones of vulnerability, as plenty of exploits and attacks can occur from inside the network. Departmental segmentation can be done with firewalls but if you want to get more granular control, it very quickly amounts to deploying a large number of small hardware firewalls everywhere on the campus, which is not practical nor cost-effective.
Network segmentation by itself is a great methodology, but if your organization does not know how your applications communicate with your endpoints, then you may risk having incoherent policies at your control points, which reduces the solution’s effectiveness and usefulness of segmenting. Also, segmentation applied without precision, can even impact the day to day operations of a company, so something to consider when it comes to implementation. The other factor to consider is the growth and expansion of your network as you want a segmentation method that is scalable with your business requirements.
Slice and Dice Your Way to Segmentation
When you use a platform from Ordr, you can get as granular as you like. Beyond buildings, sites, departments, and floors, one can segment a network via business requirements and even perform grouping by device functions, even for the same class of devices. For example at a casino, we can separate all the cameras into various groups based on their function, physical surveillance cameras for regulatory compliance (watching the slot machines) vs. general use security cameras observing foot traffic. High-risk assets vs. mission-critical assets are another way to consider the segmentation process.
Segmentation similar to the lunch tray can work great when it’s done right. There is no spillover or cross-contamination and things are in a nice tidy order. Next week we will discuss the limitations and shortcomings of existing approaches and dive deeper into modern methods for segmenting the network the right way.
Read Segmentation Done Right – Part 2
First off is device control. Before we implement any security measure it helps to know exactly what we have. Hospitals with all the equipment and devices oftentimes might not really have full visibility into all their assets. Some medical systems go through mergers or divestitures and its often difficult to find all the equipment, let alone which infusion pump or MRI machine is being utilized or not.
Unpatched software and outdated operating systems can leave you vulnerable and we can tell you exactly what device needs upgrading or patching. Sometimes equipment or devices may be hiding somewhere but if it does end up being connected and starts communicating with the network, we will see it and let you know.
The boundaries for many hospital networks are now blurred and stationary perimeter firewall protecting us from all attacks is no longer the rule. Malware can be downloaded to many devices often unintentionally by remote or telecommuting workers and damage can occur when someone reconnects to the corporate network.
If there is any deviation from normal behavior, we can sound the alert. And it’s not just the changes from the daily routine that we can see, our engine can monitor how each device acts in a normal setting relative to its peer group. A thermostat talking to the finance department, that should not happen. Some traffic flow trying to disable security controls or install rootkits? We will shut it down.
There are supervisory command applications such as Telnet, FTP, SSH, SNMP, and others. As an example, SSH works by enabling secure system administration and file transfers over insecure networks. Uses encryption to secure the connection between a client and a server. All user authentication, commands, outputs, and file transfers are encrypted to protect against attacks in the network. SSH and other command applications are used to operate and debug and fix things and we can help you keep track of all these sessions.
Booth 5584, North Expo Hall
Don’t like crowds? The crush of people can certainly be overwhelming. Let’s have a quiet chat instead. You can schedule a 1:1 meeting with one of our senior executives by reaching out to your Ordr account contact, or simply drop us a note at 
Like crowds but prefer to chat over some refreshments? We’ve got you covered there as well. We’re social people, so we’ll be on hand to share a cheer and some ideas:
Likewise, if a Philips MRI machine is having an active dialogue with a site in the Netherlands, that is perfectly fine as well. However, if that same Philips machine starts talking to China where there is no physical facility owned by Philips, we know that this is a behavior violation and something is out of character. We ring the alarm. Our system is smart enough to know that certain devices can communicate with certain countries while others cannot. We bring all these policy protection and automatically program the firewalls via APIs. Ordr provides the required context of the devices that are talking to an external connection to the firewall. Devices are classified in an orderly fashion by group (manufacturer/make/model) that gets programmed into the firewall. Subsequently, the firewall is updated with all the rules of which group of devices can communicate with which specific websites and countries.