4 Ways to Segregate a Network – Enterprise IT Infrastructure
Do you need to segregate? Most situations in which you need to segregate are related to the security of your network. The main reason for segregation is to limit access to the network that a group of users or devices may have. This ensures that the information is not shared freely and any damage done by a malware or virus is restricted.
Most organisations these days separate the payment systems from the rest of the network infrastructure for PCI DSS compliance. Modern networks of today are able to host multiple organisations on the same server while maintaining a firewall between them at all levels.
Segregation is considered important, especially given the havoc caused by ransomware such as Petya and WannaCry recently. Segregation can protect you even if your initial defences against the ransomware attacks are broken through, as the network segmentation allows you to pick the malware easily and block it before it reaches the network fabric. This way, you will be able to control the outbreak to just one host, or a specific group of hosts, before having to intervene manually.
How do you segregate?
If you have two separate organisations or corporate units using the same network infrastructure, then you should consider segregating them.
There are 4 ways to segregate a network within an enterprise IT infrastructure. We discuss each of the methods here. Which of the methods is most suitable to your requirements will depend on the state of your virtual and hardware infrastructure currently. It is important that you should make use of the right method from the very start.
#1: The Big Firewall – In this method, the servers and endpoints are first readdressed and then placed behind many different interfaces, one interface for each service type, using a large firewall system such as the Palo Alto Networks 5000 series. In this case, the firewall is trunked using a 10 Gigabit Ethernet (10GbE) into the core network. So the core is transformed into a layer-2 device.
This method works well if you want to segregate the critical network functions. Another advantage is that you don’t have to learn any new technology. But it has limited flexibility for day-to-day use. For a major organisation, this means having to change the IP addressing quite often, which can be an issue.
#2: VMware NSX (Network Virtualisation) – VMware NSX has the power to convert a VMware environment into a more flexible networking machine along with the firewall, NAT and load balancing. These functions are made available by the VMware vSphere interface.
This method is used best for segregating network applications. You can insert a virtual firewall from the Palo Alto Networks into the NSX environment. This way, you will be able to include a better threat-protection between the various divisions in the virtual machines – such as between east – west and north – south.
#3: Cisco Application-Centric Infrastructure – Cisco Application-Centric Infrastructure (ACI) makes use of Cisco hardware switches and a special type of Cisco Nexus 1000V virtual switches for VMware vSphere. This method is very much like the one in which VMware NSX is used. It gives you very similar capabilities, but it requires an upgrade to the switches used. The advantage is that this method makes use of physical servers very well.
#4: Cisco TrustSec – TrustSec offers dynamic endpoint identification and makes use of Security Group Tags (SGTs) for classification. It is something you can control with the Cisco Identity Services Engine (ISE). This method builds a matrix of SGT-to-SGT communication on the ISE, which reinforces the security policy.
Using TrustSec is one of the most effective ways to segregate a network as this method identifies users who are located at the edges of the network and ensures that the security policy is followed across the system.
Finding – and Mastering – The Right Solution
As explained in this article, VMware NSX and Cisco ACI allow for much better server-centric segregation. But you are still left with the problem of segmenting the entire organisation. The Big Firewall method discussed here can segregate your servers into silos, but this could be an issue if you want a more dynamic environment.
TrustSec is not as secure or robust as NSX when used in the data centre environment, but it is the best approach for extending segregation for both user and endpoint security. This seems to be the best approach for providing a complete end-to-end solution for segmenting the network.
However, the main thing, when considering segregation of your servers is that the planning and implementation has to be done perfectly, otherwise you risk bringing the entire network down.