Network vs. Security Segmentation

The need for segmentation as security strategy has evolved quite a bit. From the early days of networks to the complex data center and cloud environments of today, the approach organizations take to segmentation hasnt kept pace. Anyone trying to use traditional segmentation approaches to address new security challenges will quickly discover it falls short of meeting both expectations and security requirements.

However, this hasnt stopped vendors and some organizations from trying to fit the proverbial square networking peg into the round security hole. Spoiler alert: it just wont fit.

What you really need is Security Segmentation.

In this post, Ill explore the difference between network and security segmentation, concentrating on the data center and how network segmentation has been misdirected to address security requirements.

GROUND CONTROL FORMAJORAPPLICATIONS

When I first got into networking, a segment was a strand of RG-58 COAX. Am I dating myself? Yes.

As my career progressed, I worked at Xylan, a pioneer in "emerging VLAN technology. At the time, the challenge was about interworking any-media (Token Ring, FDDI, ATM, Ethernet) to any-media and extending VLANs not primarily for the sake of security, but rather for reducing broadcast domains to maintain network performance and allow networks to scale. There were no layer 3 switches, and the most expensive elements in the network were the software-based routers.Basically, a segment had evolved to being a logical (not physical) broadcast domain, and it pretty much remained that way until VLANs became intermingled with security.

Today, despite how much money an organization spends on "detection technologies, most organizations believe that a breach of some form is inevitable.

Faced with the inevitability of a breach, the only realistic protection is to build more walls around critical applications or"control the terrain so that bad actors cant move around freely inside your data center and cloud.

Controlling the terrain requires a new form of segmentation.

This is something that I refer to asSecurity Segmentation, whereby an organization must filter traffic to prevent a bad actor from being able to move laterally (east/west) within a data center.This is far better than "retro segmentation through the network, which requires new IPs, new VLANs, and new equipment.

CAN OR SHOULD? IT'SA BIG DEAL

Security Segmentation is not aboutpacket forwardingas it pertains to layer 2 and layer 3 networking. Security Segmentation is aboutpacket filtering enforcing what should and shouldnt be allowed between two points on the network.

I always say that this is the difference betweencan (packet forwarding)andshould (packet filtering). All of the protocols and work that has been done on layer 2 and layer 3 networking has been about reliable packet delivery.

• Layer 2/3 networkingcan find a path to forward a packet between two locations, if one exists.
• Layer 2/3 networking doesnt know whether itshould forward the packet.It wasnt built to work that way.

In fact, asking a layer 2/3 device to figure out what should happen is like asking Ron Burgundy not to read every word on a teleprompter.

Security Segmentation, on the other hand, understands whatshould happen, and enacts packet filters to ensure what shouldnt happen never does, like the spread of a breach.

In fact, reliable packet delivery something we have worked on for 30 years and security segmentation are like first cousins: they are related, but they shouldnt get married.

KISS: YOU WANNA KEEP IT SIMPLE STUPID(AND FILTER EVERY DAY)

One of the things that brought the need for Security Segmentation to the forefront was the emergence of what I like to call the "firewall on a stick problem. Ten years ago, we didnt see a lot of traffic being tromboned to a firewall (or firewalls) in data centers because it created traffic overhead, configuration complexity, and scale issues.However, over time, theres been an increase in those "firewall on a stick designs.

PROTIP: Any time you see a technology on a stick, be weary. It's going to get in the way.

In the enterprise, Software-Defined Networking (SDN) vendors are trying to attack the complexity of the firewall on a stick by creating an overlay of networks that will funnel packets through a distributed set of firewalls. SDN relies on underlays, overlays, and tunneling to make it work. This has created a whole new level of complexity that we can save for another post. But suffice it to say, attacking complexity with more complexity is not a winning proposition.

Complexity is the enemy of a lot of things, and security is one of them.

Unlike SDN, Security Segmentation (A.K.A. packet filtering) relies on the KISS principle of networking: Keep It Simple Stupid. Make something too complex and the probability of error increases as does the likelihood that people look for ways to cut corners the last thing that you want as part of your security strategy.Simplicity, on the other hand, has a better chance of yielding reliability and reliability is critical in security.