In June, the U.S. Office of the Inspector General released a detailed review of an April 2018 security incident at NASA’s Jet Propulsion Laboratory (JPL). The incident, in which hackers compromised critical mission systems and the Deep Space Network radio antennas, stemmed from multiple security weaknesses. In particular, JPL lacked network segmentation, enabling the attackers to exploit an unauthorized computer to move deeper into the network.
Network segmentation is an essential security control that reduces the attack surface and limits a hacker’s ability to move through the environment. But while most IT pros recognize the importance of segmentation, relatively few know how to implement it effectively. They may carve out a VLAN for guest access or Internet of Things (IoT) devices, but such coarse-grained segmentation isn’t adequate protection against today’s threats.
Micro-segmentation enables more fine-grained isolation of particular systems and devices, while application-level segmentation isolates individual workloads. Segmentation is also used in the “zero trust” model through the application of perimeter controls to users and devices inside the network. All of these subtypes are valuable, but segmentation is difficult to get right in highly dynamic environments with ever-increasing numbers of users and devices.
Segmentation is traditionally implemented with firewalls, which can create performance problems when the firewall is pushed deeper inside the network. Firewalls designed to sit at the edge of the network and handle Internet traffic can become overwhelmed by internal network traffic moving at multi-gigabit speeds. The problem becomes more pronounced when inspecting encrypted traffic, a CPU-intensive process that quickly cripple even a next-generation firewall (NGFW).
Internal segmentation firewalls (ISFWs) deliver the wire-speed performance needed for network segmentation, along with greater visibility and protection. While perimeter firewalls are focused on external, Internet-borne threats, ISFWs have application-level visibility into data packets and the ability to identify malicious applications, data and activity within the network. ISFWs also have a greater “span of control” than perimeter devices, capable of protecting various types of IT assets in different parts of the network and integrating with other security tools.
Best-in-class ISFWs also incorporate intent-based segmentation features. Many IT pros think intent-based networking (IBN) and software-defined networking (SDN) are the same thing, and they are based on the same basic concept. Both IBN and SDN abstract control of the network from hardware, and use centralized controllers to manage devices. However, IBN has a business focus while SDN retains a device focus. IBN uses automation, orchestration, advanced analytics and machine learning to control the network based on desired business outcomes.
Intent-based segmentation automatically applies segmentation techniques to meet business objectives. Administrators can define use cases such as isolating critical assets, securing cloud resources or meeting regulatory requirements, and intent-based segmentation implements the appropriate segmentation policies. In addition, intent-based segmentation understands IT and security requirements, enabling workloads to access the resources they need while also isolating and protecting those resources.
The NASA Jet Propulsion Lab learned the hard way about the risks of a flat, open network. Intent-based segmentation and internal segmentation firewalls provide the visibility and intelligence to minimize the threat surface and protect critical assets. The ability to interact with other security tools is critical to intent-based segmentation. This provides the context needed to effectively detect and respond to threats and dynamically adapt segmentation policies accordingly. Let Technologent provide you the expert guidance your company needs to protect its resources.