Dynamic Network Segmentation

Similar documents
Identity-Based Cyber Defense. March 2017

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Secure Industrial Automation Remote Access Connectivity. Using ewon and Talk2M Pro solutions

Virtualized Network Services SDN solution for service providers

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Virtualized Network Services SDN solution for enterprises

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Network Segmentation Through Policy Abstraction: How TrustSec Simplifies Segmentation and Improves Security Sept 2014

Cisco Network Admission Control (NAC) Solution

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Real-time Communications Security and SDN

Deployments and Network Topologies

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

CISCO IT DEPARTMENT DEPLOYS INNOVATIVE CISCO APPLICATION- ORIENTED NETWORKING SOLUTION

Upgrade Your MuleESB with Solace s Messaging Infrastructure

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Rethinking Security: The Need For A Security Delivery Platform

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

NETWORKING 3.0. Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING. Remarkably Simple

SNIA Discussion on iscsi, FCIP, and IFCP Page 1 of 7. IP storage: A review of iscsi, FCIP, ifcp

The Top Five Reasons to Deploy Software-Defined Networks and Network Functions Virtualization

SIEM: Five Requirements that Solve the Bigger Business Issues

Optimizing your network for the cloud-first world

W H I T E P A P E R : O P E N. V P N C L O U D. Implementing A Secure OpenVPN Cloud

WHITE PAPER. Applying Software-Defined Security to the Branch Office

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Next Generation Privilege Identity Management

Cisco Self Defending Network

Seven Criteria for a Sound Investment in WAN Optimization

How Cisco IT Improves Commerce User Experience by Securely Sharing Internal Business Services with Partners

Security Assessment Checklist

Introducing Avaya SDN Fx with FatPipe Networks Next Generation SD-WAN

Security Considerations for Cloud Readiness

NETWORK AND SD-VPN. Meshing legacy and Cloud Service Providers

SaaS Providers. ThousandEyes for. Summary

THALES DATA THREAT REPORT

EXTENSIBLE WIDE AREA NETWORKING

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

vshield Administration Guide

CyberP3i Course Module Series

The F5 Application Services Reference Architecture

FOR FINANCIAL SERVICES ORGANIZATIONS

NEXT GENERATION SECURITY OPERATIONS CENTER

CompTIA Network+ Study Guide Table of Contents

MITIGATE CYBER ATTACK RISK

90 % of WAN decision makers cite their

Business Strategy Theatre

SDN meets the real world part two: SDN rewrites the WAN manual

Chapter 5. Security Components and Considerations.

Firewalls for Secure Unified Communications

Accelerate Your Enterprise Private Cloud Initiative

Cisco Wide Area Application Services and Cisco Nexus Family Switches: Enable the Intelligent Data Center

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

NETWORK OVERLAYS: AN INTRODUCTION

Exam: : VPN/Security. Ver :

Enterasys K-Series. Benefits. Product Overview. There is nothing more important than our customers. DATASHEET. Operational Efficiency.

Networking for a smarter data center: Getting it right

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Next Generation Policy & Compliance

Cisco Exam Questions & Answers

NFV and SDN what does it mean to enterprises?

PrecisionAccess Trusted Access Control

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Verizon Software Defined Perimeter (SDP).

1V0-642.exam.30q.

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Chapter 8. Network Troubleshooting. Part II

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

SIEM Solutions from McAfee

Simplifying your 802.1X deployment

Holistic IPv6 Transition Yanick Pouffary HP Distinguished Technologist HP IPv6 Global Leader, HP Technology Services Office of the CTO

OpenADN: A Case for Open Application Delivery Networking

Cisco ASA Next-Generation Firewall Services

Executive Summary...1 Chapter 1: Introduction...1

Cloud Security Best Practices

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Chapter 9. Firewalls

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Reviewer s guide. PureMessage for Windows/Exchange Product tour

2013 InterWorks, Page 1

Securing Your Most Sensitive Data

VNC Connect security whitepaper. Cloud versus direct with VNC Connect

Securing Your SWIFT Environment Using Micro-Segmentation

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cisco APIC Enterprise Module Simplifies Network Operations

IP Mobility vs. Session Mobility

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

PCI DSS Compliance. White Paper Parallels Remote Application Server

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Cloud versus direct with VNC Connect

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

Networking for a dynamic infrastructure: getting it right.

We make hybrid cloud deliver the business outcomes you require

Cisco Prime for Enterprise Innovative Network Management

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Making Enterprise Branches Agile and Efficient with Software-defined WAN (SD-WAN)

Transcription:

Dynamic Network Segmentation Innovative network security protection to stop cyber attacks and meet compliance. 1

Isolate and flexibly segment your networks Introduction As organizational structures and technology infrastructures grow larger and more complex, the main tool used to manage the growing complexity is segmentation: breaking down a business, a process, or a technical problem into manageable units. Segmentation is everywhere: organizational departmental structures and hierarchies; company group/subsidiary structures; profit/cost centres for financial control purposes and so on. Within the information technology realm segmentation is so pervasive it s easy not to notice: user ID groups; directories such as Microsoft Active Directory; the Domain Name System; local area networking; relational databases- all of these depend on breaking down a technical administration task or architecture into manageable units. It seems logical that as an organization implements a segmented business structure that the IT infrastructure supporting the organization should follow a similar segmented design. In fact this seems so obvious as to be unworthy of highlighting, however the challenges of doing just this are at the root of some of the greatest strategic challenges an organization will face. For example: Within mulitple banks it is possible to access branch office systems including ATMs from any employee s system. The banks understand the problem, however the inherent difficulties of segmenting off those systems have left those organizations with trying to manage the risks resulting from this flat network architecture. An organization that divested a subsidiary business ran millions of dollars and hundreds of man-days over budget trying to split off the subsidiary s network while still providing access to certain centralized company resources. These difficulties almost halted the divestiture. 2

It initially seems unrealistic to claim that in today s day and age an apparently simple task such as segmentation is sufficiently difficult that an organization s strategic business and operational imperatives are affected, however that is precisely the situation that affects today s enterprises. Here are a few reasons why: The tools and technologies to allow well-segmented infrastructures to be built have themselves become extremely complex. The tools and technologies are inflexible and labor intensive to reconfigure, and lack the level of agility required by an enterprise. The tools and technologies, on top of being complex, force the organization to define a segmentation architecture in terms of network addresses, whereas the business views this requirement in terms of business rules: who is supposed to have access to what. The problem might be termed Orthogonally complex. Current segmentation technologies require that the design, configuration, and implementation be correctly aligned both up and down the network stack, and within each component across every hop in the path between endpoints. APPLICATION PRESENTATION. User account management. Access controls, permission, ACL s. Application Firewalls. Dynamic UI customization. XML firewalls. WAN optimization SESSION. Application gateways, proxy servers. SSL / TLS offload devices TRANSPORT. Load balancers. QoS management NETWORK. Routers and subnet structure. Firewalling DATA LINK. LAN bridging and switching. VLAN PHYSICAL. Physical plant and cabling. Data centre. HVAC services and other environmental 3

As a result many organizations have effectively given up on the problem of segmentation, and have instead designed their enterprise networks from a utility standpoint, where the only role of the network is to be available and to provide end-to-end connectivity. They have deployed so-called flat networks. Nonetheless this is not what they wish to deploy. They have gone this route because of the insurmountable challenges of designing networks to mirror organizational structures, and dynamically adapting that design in response to changing business requirements. This picture illustrates the problem: on the right is the organization s desired view of the world, whereas on the left is what the IT infrastructure typically looks like, isolated islands of resources. What is needed is a solution that allows the infrastructure to be simply constructed, as in the left-hand side of the picture, whilst allowing the view on the right-hand side to be overlaid on this flat network to unlock the greater operational efficiency, strategic alignment, and security that a segmented architecture can deliver. 4

Transport Access Control (TAC) BlackRidge s patented TAC technology delivers a unique solution to segmentation problems faced by today s enterprises. TAC is uniquely positioned to address this fundamental problem for the following reasons: INTEROPERABILITY AND COMPATIBILITY TAC works with standard TCP/IP applications and network infrastructure. Needless to say TCP/ IP is the foundation of today s enterprise networks, the Internet, and cloud service provider infrastructures. TAC is transparent to network infrastructure and applications. It interoperates with all presently installed and future network infrastructures; therefore the solution is an incremental deployment for the enterprise. CLARITY AND SIMPLICITY TAC allows policy to be defined in terms of Identities and applications that should be segmented. It is far more logical, consistent, and simple to segment the IT infrastructure by concentrating on who needs access to what, and under what circumstances, than to try and define segmentation in terms of network addressing alone. As previously discussed network addressing does not correlate at all with the actual Identities and applications that the enterprise infrastructure supports. It is precisely because of this disconnect in terms of the business view of organizational requirements vs. the technical capabilities that the flat network syndrome exists. AGILITY TAC can be dynamically reconfigured, which allows the infrastructure to adapt to changing business requirements rapidly, without any re-engineering of the network infrastructure. SECURITY Segmentation is a key security control, which is used to assure regulators, auditors, and internal security departments that access to systems is managed on an as needed basis. In its purest form of physically separate networks, it is obvious that users and applications on one segment have no knowledge or awareness of users and applications on the other. This prevention of Unauthorized Awareness is a fundamental security principle. TAC is unique in providing the same principle of Unauthorized Awareness over a flat network using a policy defined and enforced entirely in terms of Identities (i.e. what actually matters) instead of irrelevant concepts like network addresses. The basis for TAC is a technique called First Packet Authentication, which works by embedding a token within the first packet of a TCP/IP session request. The TAC token is associated with an Identity, allowing an Identity-based security policy to be applied to the first packet of a connection, thereby controlling visibility and accessibility of network resources. It is the concept of Identity-based First Packet Authentication that gives rise to the segmentation effect of TAC. 5

PERFORMANCE TAC is extremely lightweight, with a processing load that is considerably less than would be incurred for other typical network devices such as firewalls and Intrusion Prevention Systems (IPS). TAC is therefore very suitable for high-performance networks, and the underlying architecture is very scalable, capable of handling tens of millions of identities. A Dynamic Virtual Network Segmentation solution based on TAC is shown in the following diagram: Valid Identities centrally controlled by a physical or virtual BlackRidge Eclipse gateway. VALID IDENTITIES VALID IDENTITIES 1 2 3 4 5 6 1 2 3 4 5 6 Unique TAC keys associated with each machine or user identity. TAC idendities Each client system and/or user is issued with an Identity Key. This key can be derived from existing key material in an identity management system or directory, if the enterprise already has one. The TAC identities in the above example are labelled 1-6. Next the Identities are recognized as valid by one or more TAC gateways that comprise a TAC Community. In the diagram there are red and blue TAC Communities. TAC Identities 1-3 are valid on blue and 4-6 are valid on red. Even though this network is flat, i.e. there is no actual segregation and everything that is considered red or blue is connected to the same network, blue users cannot see the existence of red resources and vice-versa. An important point is that this segmentation policy has been defined at the edges of the network, i.e. at the endpoints and the application servers themselves, with the details of the network that connects the two omitted because it is unimportant. Since TAC interoperates over standard TCP/IP the network architecture between the users and the applications is irrelevant. 6

Also note that because the segmentation policy has been defined in terms of the Identities that require access. It does not matter where the user is connected to the network- they could be in an office, hot-desking, or coming in remotely via a VPN, or perhaps on the Internet. Nonetheless the red/blue segmentation concept will still hold because the policy has been defined and is enforced in terms of Identity instead of by network address. This is a far more logical, simple, and consistent way to implement segmentation, and is far more powerful and flexible than other approaches available today. When business requirements change the solution can dynamically reconfigure. For example if identities 3 and 4 need access to both red and blue TAC Communities it is simple to make the required changes: Identity keys 3 and 4 can be made valid on the appropriate TAC gateways. Similarly, 2 could be dynamically made valid on red instead of blue. These changes are shown in the following diagram: Valid identities centrally controlled by the BlackRidge gateways VALID IDENTITIES 1 4 3 VALID IDENTITIES 4 5 6 3 2 1 2 3 4 5 6 Unique TAC keys associated with each machine or user identity. TAC idendities Defining the policy at the edges of the network, close to the users and applications concerned, and defining that policy in terms of Identity is simple and logical. The policy can be dynamically changed. Because the controls are enforced on the first packet of TCP/IP connections Unauthorized Awareness of applications is prevented, and therefore the BlackRidge solution provides the security benefits of network segmentation in a simple, dynamic, and efficient manner. The TAC solution can be deployed using a physical or virtual network appliances and TAC client drivers. 7

Summary As the main architectural tool to manage organizational and infrastructure complexity, segmentation is pervasive. Today s tools for network segmentation are complex to architect, implement, and manage, and do not readily support dynamic change. In a sense IT infrastructure imposes a high level of friction in strategic business environments that require a high rate of change, and a regulatory environment that benefits from robust segmentation between organizational groups in order to simplify compliance. Transport Access Control is a unique, patented technology that applies an Identity-based security policy to the first packet of a TCP/IP connection. This ability to control the visibility of, and access to network resources provides the benefits of segmented networks without the cost, complexity, management overhead, and inflexibility associated with today s network segmentation techniques. For more information please contact info@blackridge.us or visit us online at blackridge.us. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback