Segmentation Done Right – Part 3 of 3
Segmentation is a good thing and we understand the benefits and we also know that segmentation needs to be done right. Doing it right means segmenting in a non-rigid manner and having a clear goal in mind before VLANs are deployed randomly or likeminded devices are just lumped together. In our concluding series, we discuss our take on flexible segmentation and how to generate policies using the observed behaviors of devices.
At Ordr we can granularly group devices by type or even group the same type of devices across an enterprise. For example, if you want to see all your cameras across your entire enterprise we can do that. Want to see cameras only used by the surveillance security department? Or cameras just in the manufacturing line? We can slice it or dice it any way you like in ways that fit your business requirements.
One popular starting point that we see with some customers is segmentation by vulnerabilities. This process entails segmenting by the most vulnerable devices in your network. For example, think about all the cameras that come with a default password which is oftentimes just “password”. We can help segment these vulnerable cameras from the rest of the network to reduce their attack surface if they get hacked. Later on, we can help a hospital segment another group of precious devices such as CT scanners and patient monitoring devices which are often vulnerable since they run older operating systems. Older operating systems can be an issue since they can be susceptible to malware attacks, oftentimes inadvertently introduced by a healthcare worker who worked remotely, visited a bad site, and then came back to the hospital.
With the Ordr system, you can work through the device population one group at a time, based on your specific business criticality requirements. This is a very granular configurable method vs the traditional way of segmenting …the all or nothing approach of traditional VLANs. Think of it rather as a personal VLAN per device. We can help security personnel maintain good network hygiene by segmenting rogue access points, preventing devices from guest networks accessing clinical resources, and even help identify and remove outlier devices from incorrect segments.
With our approach, there is no need to declare a zero-trust day plan, and then execute to that milestone only to realize that the business requirements have changed, the device population has increased, or the network footprint evolved. With Ordr, you can start the segmentation journey now with a logical device-centric approach vs. big rigid boxes of categories. Our micro-segmentation approach is easier to execute, flexible and changes as your business requirements change, equipment is moved around due to utilization adjustments, or whatever the case may be.
We add insights into understanding the behaviors of devices. Once Ordr has baselined all the traffic, the system can report any time a device attempts to communicate outside its defined network behavior. This will be alerted on the main dashboard and as a device security incident. We can further show you the flows of traffic per device and how it interacts with every other device in your network. We can tell you what’s “normal” as we have intelligently mapped and baselined the traffic. Our system can subsequently report any time a device attempts to communicate outside its defined network behavior. This deviation from a device’s normal behavior will be alerted on the main dashboard as a device security incident.
At Ordr, you can group and segment however you prefer, the choice is yours. Whether it is creating network segments for medical vs. facilities vs. a contractor vs. the Emergency room, even subsegment the pharmacy if you like. And within each segment, you can selectively allow access by various groups. With granular flexible micro-segmentation from Ordr, you can contain any potential breaches and damage. Whitelist internal flows for your business needs flexibly. Blacklist with micro-segmentation, we do that too. We give you the tools to do segmentation right and we give you the smarts to take control.
Read Segmentation Done Right – Part 1: Great Idea and Segmentation Done Right – Part 2: Seeking A Better Way
Using VLANs is pretty intuitive—place all things of a particular type into the same virtual segment. But VLANs are manually intensive—each new device must be manually categorized and assigned the correct VLAN. Each new group needs its own VLAN and a painful call to the IT desk to allocate a new VLAN across the enterprise, each with its own unique IP address space. And don’t forget the VLAN boundaries. ACL policies need to be consistently deployed at each of the routers and L3 switches to control the flow between VLANs, or else what was the reason for creating new VLANs in the first place?
Let us go back to the middle school example from last week. Students in their classrooms can further represent segmentation. Grades and different classrooms separate children, and each class has a teacher. Typically, (or in some cases hopefully) the children are expected not to interact with each other during lessons and only interact with the teacher. Likewise, when you have a class of IoT devices, rarely do these devices need to communicate or talk to each other. If anything, one MRI machine talking to another or sharing a snack should not happen.