Segmentation Done Right – Part 3 of 3

Segmentation is a good thing and we understand the benefits and we also know that segmentation needs to be done right. Doing it right means segmenting in a non-rigid manner and having a clear goal in mind before VLANs are deployed randomly or likeminded devices are just lumped together. In our concluding series, we discuss our take on flexible segmentation and how to generate policies using the observed behaviors of devices.

At Ordr we can granularly group devices by type or even group the same type of devices across an enterprise. For example, if you want to see all your cameras across your entire enterprise we can do that. Want to see cameras only used by the surveillance security department? Or cameras just in the manufacturing line? We can slice it or dice it any way you like in ways that fit your business requirements.

One popular starting point that we see with some customers is segmentation by vulnerabilities. This process entails segmenting by the most vulnerable devices in your network. For example, think about all the cameras that come with a default password which is oftentimes just “password”. We can help segment these vulnerable cameras from the rest of the network to reduce their attack surface if they get hacked. Later on, we can help a hospital segment another group of precious devices such as CT scanners and patient monitoring devices which are often vulnerable since they run older operating systems. Older operating systems can be an issue since they can be susceptible to malware attacks, oftentimes inadvertently introduced by a healthcare worker who worked remotely, visited a bad site, and then came back to the hospital.

With the Ordr system, you can work through the device population one group at a time, based on your specific business criticality requirements. This is a very granular configurable method vs the traditional way of segmenting …the all or nothing approach of traditional VLANs. Think of it rather as a personal VLAN per device. We can help security personnel maintain good network hygiene by segmenting rogue access points, preventing devices from guest networks accessing clinical resources, and even help identify and remove outlier devices from incorrect segments.

With our approach, there is no need to declare a zero-trust day plan, and then execute to that milestone only to realize that the business requirements have changed, the device population has increased, or the network footprint evolved. With Ordr, you can start the segmentation journey now with a logical device-centric approach vs. big rigid boxes of categories. Our micro-segmentation approach is easier to execute, flexible and changes as your business requirements change, equipment is moved around due to utilization adjustments, or whatever the case may be.

We add insights into understanding the behaviors of devices. Once Ordr has baselined all the traffic, the system can report any time a device attempts to communicate outside its defined network behavior. This will be alerted on the main dashboard and as a device security incident. We can further show you the flows of traffic per device and how it interacts with every other device in your network. We can tell you what’s “normal” as we have intelligently mapped and baselined the traffic. Our system can subsequently report any time a device attempts to communicate outside its defined network behavior. This deviation from a device’s normal behavior will be alerted on the main dashboard as a device security incident.

At Ordr, you can group and segment however you prefer, the choice is yours. Whether it is creating network segments for medical vs. facilities vs. a contractor vs. the Emergency room, even subsegment the pharmacy if you like. And within each segment, you can selectively allow access by various groups. With granular flexible micro-segmentation from Ordr, you can contain any potential breaches and damage. Whitelist internal flows for your business needs flexibly. Blacklist with micro-segmentation, we do that too. We give you the tools to do segmentation right and we give you the smarts to take control.

Read Segmentation Done Right – Part 1: Great Idea and Segmentation Done Right – Part 2: Seeking A Better Way

Segmentation Done Right – Part 2 of 3

Segmentation is a good thing, and there are many use cases for segmentation done the right way. What tools then do we implement to get started with segmentation, and are there some pitfalls to avoid? The idea is simple, but one doesn’t want to design cost and complexity into the equation from the start. A flexible yet granular segmentation system with ample room to grow is what you need.

The traditional way of doing segmentation was to use the perimeter firewall—one side was trusted and safe, and on the outside was the big bad world. With many intrusions, however, a small breach means the damage is difficult to contain.  Take it a step further, and one can deploy multiple virtual networks, or VLANs, to further segment and create various “safety zones” inside the network, then leverage routers and Layer 3 switches to control access between the virtual segments.

Using VLANs is pretty intuitive—place all things of a particular type into the same virtual segment. But VLANs are manually intensive—each new device must be manually categorized and assigned the correct VLAN. Each new group needs its own VLAN and a painful call to the IT desk to allocate a new VLAN across the enterprise, each with its own unique IP address space. And don’t forget the VLAN boundaries. ACL policies need to be consistently deployed at each of the routers and L3 switches to control the flow between VLANs, or else what was the reason for creating new VLANs in the first place?

Furthermore, the world of applications is dynamic, so boundaries can’t be so rigid. When one creates and deploys a new application using an Auto Scaling group, which contains a collection of Amazon EC2 instances, an IP address is dynamically assigned. Frequently this application will need to move around various network segments. If one applies a rigid approach to segmentation, there will be too many strict routing rules to navigate since traffic is only allowed when information is on a pre-defined list. Moving around is hampered, and a permissible list has to be updated continuously manually. In today’s environment, network ports are dynamic, DHCP is dynamic, applications are active, and we think segmentation should be flexible and smart.

Let us go back to the middle school example from last week. Students in their classrooms can further represent segmentation. Grades and different classrooms separate children, and each class has a teacher. Typically, (or in some cases hopefully) the children are expected not to interact with each other during lessons and only interact with the teacher. Likewise, when you have a class of IoT devices, rarely do these devices need to communicate or talk to each other. If anything, one MRI machine talking to another or sharing a snack should not happen.

So if this orderly communication between a teacher and student makes sense in a classroom or “segment,” then why do we lump similar devices such as cameras, X-Ray machines, or workstations together into their respective segment, VLAN or subnet with the notion that they are protected? These devices should talk to a central master and externally to get a patch once in a while, but not each other. If one device is compromised, there goes the notion of protection via segmentation. If junior in class catches the flu, other students in the same class are likely to get sick, too. Likewise, if a workstation is compromised and it’s in the same VLAN with other workstations, how does one contain the damage?

Traditional segmentation often places all sorts of devices of a general category into the same group/segment, and any infection of one will quickly spread to the rest. At Ordr, we segment smartly and take it further with micro-segmentation. We can group and segment things logically, and we can control the flow between the logical segments. Micro-segmentation divides networks down to the workload level and then defines specific security controls and policies for these specific segments and workloads. It’s a more granular and logical approach than physical segmentation via physical firewalls, making it easier for network and security administrators.

If a device becomes infected, we can contain the damage and not let it spill over, thus help you regulate and protect precious assets and information. Next week we will discuss segmentation automation and how one can generate clear policies using observed behavior. Be smart and control the flow between segments and do segmentation in an Ordr’ly way.

Read Segmentation Done Right – Part 2: Seeking a Better Way