Network vs. Security Segmentation
The need for segmentation as security strategy has evolved quite a bit. From the early days of networks to the complex data center and cloud environments of today, the approach organizations take to segmentation hasn't kept pace. Anyone trying to use traditional segmentation approaches to address new security challenges will quickly discover it falls short of meeting both expectations and security requirements.
However, this hasn't stopped vendors and some organizations from trying to fit the proverbial square networking peg into the round security hole. Spoiler alert: it just won't fit.
What you really need is Security Segmentation.
In this post, I'll explore the difference between network and security segmentation, concentrating on the data center and how network segmentation has been misdirected to address security requirements.
Ground control for major applications
When I first got‚ 'into' networking, a segment was a strand of RG-58 COAX. Am I dating myself? Yes.
As my career progressed, I worked at Xylan, a pioneer in "emerging" VLAN technology. At the time, the challenge was about interworking any-media (Token Ring, FDDI, ATM, Ethernet) to any-media and extending VLANs - not primarily for the sake of security, but rather for reducing broadcast domains - to maintain network performance and allow networks to scale. There were no layer 3 switches, and the most expensive elements in the network were the software-based routers. Basically, a segment had evolved to being a logical (not physical) broadcast domain, and it pretty much remained that way until VLANs became intermingled with security.
Today, despite how much money an organization spends on ‚" detection‚" technologies, most organizations believe that a breach of some form is inevitable.
Faced with the inevitability of a breach, the only realistic protection is to build more walls around critical applications - or "control the terrain" so that bad actors can't move around freely inside your data center and cloud.
Controlling the terrain requires a new form of segmentation.
This is something that I refer to as Security Segmentation, whereby an organization must filter traffic to prevent a bad actor from being able to move laterally (east/west) within a data center. This is far better than "retro segmentation" through the network, which requires new IPs, new VLANs, and new equipment.
Can or should? It's a big deal
Security Segmentation is not about packet forwarding as it pertains to layer 2 and layer 3 networking. Security Segmentation is about packet filtering – enforcing what should and shouldn't be allowed between two points on the network.
I always say that this is the difference between can (packet forwarding) and should (packet filtering). All of the protocols and work that has been done on layer 2 and layer 3 networking has been about reliable packet delivery.
- Layer 2/3 networking can find a path to forward a packet between two locations, if one exists.
- Layer 2/3 networking doesn't know whether it should forward the packet. It wasn't built to work that way.
In fact, asking a layer 2/3 device to figure out what should happen is like asking Ron Burgundy not to read every word on a teleprompter.
Security Segmentation, on the other hand, understands what should happen, and enacts packet filters to ensure what shouldn't happen never does, like the spread of a breach.
In fact, reliable packet delivery - something we have worked on for 30 years - and security segmentation are like first cousins: they are related, but they shouldn't get married.
KISS: You want to keep it simple, stupid (and filter everyday)
One of the things that brought the need for Security Segmentation to the forefront was the emergence of what I like to call the "firewall on a stick" problem. Ten years ago, we didn't see a lot of traffic being tromboned to a firewall (or firewalls) in data centers because it created traffic overhead, configuration complexity, and scale issues. However, over time, there's been an increase in those "firewall on a stick" designs.
PROTIP: Any time you see a technology on a stick, be weary. It's going to get in the way.
In the enterprise, Software-Defined Networking (SDN) vendors are trying to attack the complexity of the firewall on a stick by creating an overlay of networks that will funnel packets through a distributed set of firewalls. SDN relies on underlays, overlays, and tunneling to make it work. This has created a whole new level of complexity that we can save for another post. But suffice it to say, attacking complexity with more complexity is not a winning proposition.
Complexity is the enemy of a lot of things, and security is one of them.
Unlike SDN, Security Segmentation (A.K.A. packet filtering) relies on the KISS principle of networking: Keep It Simple Stupid. Make something too complex and the probability of error increases as does the likelihood that people look for ways to cut corners - the last thing that you want as part of your security strategy. Simplicity, on the other hand, has a better chance of yielding reliability and reliability is critical in security.