The  Business  Case  for  Network  Segmentation  Modern  network  segmentation  to  reduce  risk  and  cost            

 

 

 

Abstract  

Modern  network  segmentation,  also  known  as  microsegmentation,  offers  a  new  way  of  managing  and  securing  your  network,  offering  tremendous  benefits  in  terms  of  data  protection,  simpler  compliance,  and  IT  agility.  ExtraHop  provides  the  visibility  needed  to  implement  this  new  technology  and  realizing  the  benefits  to  your  organization.  This  white  paper  explains  how  microsegmentation  for  your  applications  and  datacenter  network  (not  including  campus  and  BYOD  segmentation)  equips  your  IT  organization  to  significantly  reduce  both  risk  and  cost.    

WHITE PAPER

WHITE  PAPER  The  Business  Case  for  Network  Segmentation  

2  

Executive  Summary  New  virtual  networking  technology  enables  organizations  to  automatically  break  their  network  into  “mini-­‐networks”  and  ensure  that  only  approved  communications  are  taking  place  on  the  network.  If  you  stop  to  think  about  it,  enterprise  IT  should  have  had  this  ability  a  long  time  ago,  but  virtual  networking  technology  is  just  now  catching  up  to  technology  for  server  virtualization.    

Remember  the  days  when  IT  staff  had  to  go  around  racking  physical  servers  every  time  new  server  capacity  was  required?  Then,  they  would  have  to  painstakingly  ensure  the  software  configurations  were  correct  and  patches  were  up  to  date.  Server  virtualization  abstracted  much  of  that  work  so  that  today,  an  admin  can  spin  up  a  new  virtual  machine  with  the  push  of  a  button  and  know  that  all  the  correct  configurations  are  in  place.    

With  software-­‐defined  networking  (SDN)  technology,  networking  has  the  same  potential  for  automation  and  control  as  is  seen  today  with  server  virtualization.  The  benefits  for  security,  compliance,  and  efficiency  are  tremendous.  Instead  of  allowing  every  computer  in  the  network  to  talk  to  others,  enterprise  IT  organizations  can  precisely  define  and  enforce  which  communications  are  allowed  within  these  microsegments.    

The  Evolution  of  Network  Segmentation  In  the  early  days,  organizations  had  flat  networks  where  all  devices  could  connect  to  one  another.  The  first  network  segmentation  efforts  used  firewalls  and  switches  to  impose  some  level  of  control  on  which  communications  were  allowed,  but  these  were  static,  coarse-­‐grained  controls  based  on  IP  addresses.  Software-­‐defined  networking  (SDN)  makes  new  network  segmentation  approaches  possible,  so  that  organizations  can  create  policies  to  automatically  control  what  types  of  communications  are  allowed  based  on  the  type  of  function  a  computer  serves,  its  unique  identifier,  and  what  data  it  handles.    

                                                    Flat Network with

no controls Segmented Network with

coarse, static controls Segmented Network with software-defined controls

WHITE  PAPER  The  Business  Case  for  Network  Segmentation  

3  

The  Business  Case  for  Network  Segmentation  In  simple  terms,  network  segmentation  offers  the  ability  to  define  and  enforce  which  communications  are  allowed.  New  SDN  technology  makes  network  segmentation  much  easier  to  manage  and  automate  so  that  it  provides  significant  business  benefits,  including  improved  security,  simpler  compliance  reporting,  and  greater  IT  efficiency  and  agility.  

Stronger  Security  Defenses  

Once  an  attacker  compromises  a  computer  inside  your  network,  they  will  conduct  reconnaissance,  looking  for  valuable  assets  or  probing  for  weaknesses  so  that  they  can  extend  their  reach.  With  microsegmentation  that  defines  how  computers  can  connect  to  one  another,  IT  organizations  can  make  it  much  more  difficult  for  attackers  to  move  from  one  area  of  the  network  to  another.  In  addition,  because  microsegmentation  creates  barriers  between  blocks  of  the  network,  it  is  more  difficult  for  attackers  to  get  valuable  data  out  of  the  environment.    

Simpler  PCI  and  HIPAA  Compliance  

One  of  the  simplest  ways  to  reduce  your  regulatory  compliance  burden  is  to  reduce  the  scope.  Regulations  including  PCI  and  HIPAA  require  companies  to  prove  that  they  are  handling  sensitive  data  securely.  Without  network  segmentation,  you  must  prove  that  your  entire  IT  environment  meets  the  required  standards.  However,  by  segmenting  your  network,  you  can  keep  that  sensitive  data  where  you  can  prescribe  which  users  and  computers  have  access  to  it  and  also  where  you  have  adequate  monitoring  in  place.  This  reduces  the  risk  of  a  data  breach,  non-­‐compliant  activity  that  could  incur  penalties,  and  the  scope  and  cost  of  regular  compliance  assessments.  

Efficiency  and  Agility  

Just  as  server  virtualization  enabled  systems  teams  to  deploy  and  manage  compute  resources  much  more  efficiently,  new  software-­‐defined  networking  technologies  promise  to  bring  more  automation  and  standardization  to  networking.  Networking  teams  can  focus  on  defining  and  monitoring  policies  instead  of  spending  time  configuring  systems.  Together,  server  and  network  virtualization  enable  what  is  dubbed  the  software-­‐defined  datacenter,  where  teams  can  deploy  resources  quickly  while  adhering  to  policies.  

Technologies  Required  for  Modern  Network  Segmentation  Two  types  of  technology  are  required  to  make  microsegmentation  a  reality  for  your  organization:    

•   A  software-­‐defined  networking  (SDN)  platform,  such  as  Cisco  ACI,  VMware  NSX,  or  Big  Switch  Big  Cloud  Fabric.  These  technologies  enable  you  to  orchestrate  network  provisioning  and  management  according  to  policy.    

•   Application  discovery  and  monitoring  technology  to  discover  existing  networks  and  applications  in  your  environment,  map  out  the  dependencies,  and  provide  ongoing  visibility.  These  goals  are  best  achieved  with  passive,  network-­‐based  observation  of  application  communications.    

WHITE  PAPER  The  Business  Case  for  Network  Segmentation  

4  

Methodology  for  Network  Segmentation  ExtraHop  can  help  to  discover,  evaluate,  and  identify  gaps  in  your  current  network  infrastructure.  This  technology  will  automatically  discover  existing  networks  and  applications  in  your  environment  and  map  out  the  dependencies.  With  this  unbiased,  real-­‐time  view  of  the  communications  taking  place  in  your  environment,  you  can  create  a  network  segmentation  design  that  can  be  implemented  with  minimal  disruption  while  also  achieving  the  project’s  goals.  After  implementation,  this  technology  will  provide  ongoing  visibility  for  security  event  detection,  simpler  compliance  reporting,  and  application  performance  troubleshooting.    

Planning  Phase  

The  Planning  Phase  of  the  Network  Segmentation  begins  with  a  whiteboard  session  to  gain  a  better  understanding  of  where  your  organization  stands  today  with  regard  to  network  segmentation  requirements.  You  should  aim  to  determine  the  current  state  of  segmentation  on  your  network  and  review  strategies  for  limiting  network  access  through  segmentation.    

Design  Phase  

The  Design  Phase  begins  by  mapping  out  the  real-­‐time  application  dependencies  and  communications  using  ExtraHop.  This  unbiased  assessment  of  your  environment  provides  a  complete  and  continuously  updated  view  of  how  systems  are  currently  connecting,  including  the  protocols  and  services  in  use.  Equipped  with  this  information,  your  organization  can  create  policies  that  take  into  account  how  the  applications  and  services  in  your  environment  actually  operate.  

 

Application activity maps reveal hidden dependencies and activity that you need to know about when planning network segmentation.

WHITE  PAPER  The  Business  Case  for  Network  Segmentation  

5  

Implementation  Phase  

During  the  Implementation  Phase,  the  continuous  visibility  ExtraHop  helps  to  ensure  that  network  services  continue  to  function  as  planned.  After  the  implementation  is  complete,  the  ExtraHop  deployment  can  help  your  teams  validate  that  traffic  is  properly  segmented  and  that  applications  continue  to  perform  well.    

Operate  Phase    

Network  segmentation  is  not  a  technology  you  purchase,  but  only  one  aspect  of  a  new  way  of  managing  networks  and  security.  How  your  organization  adjusts  operations  to  take  advantage  of  new  network  segmentation  technology  will  determine  the  success  of  the  project.    

The  Operate  Phase  is  where  the  visibility  from  ExtraHop  plays  a  key  role.  While  the  SDN  platforms  such  as  Cisco  ACI  or  VMware  NSX  enable  microsegmentation,  you  still  need  visibility  into  the  actual  application  communications  on  the  network  to  proactively  address  performance  issues,  detect  suspicious  activity,  and  provide  reports  for  compliance  purposes.    

With  ExtraHop,  your  teams  can  create  custom  dashboards  and  reporting  that  reflect  your  policies:  

•   Encryption  -­‐  Ensure  that  traffic  is  encrypted  inside  sensitive  network  segments,  and  that  it  uses  sufficiently  strong  ciphers.    

•   Data  movement  -­‐  Identify  communications  that  cross  boundaries  that  should  be  kept  separate,  such  as  test  and  production  environments.  

•   Protocols  -­‐  Detect  application  communications  that  are  insecure  or  otherwise  not  compliant  with  policy,  such  as  unencrypted  file  transfer  protocol  (FTP)  or  telnet.    

•   Access  -­‐  Monitor  logins  by  user  to  see  who  is  accessing  sensitive  files  and  applications.  ExtraHop  provides  reporting  on  which  user  accounts  have  accessed  sensitive  data,  which  makes  compliance  reporting  much  simpler.    

•   Data  breach  -­‐  See  when  data  leaves  your  environment—even  surreptitiously.  ExtraHop  provides  the  transaction  details  that  allow  your  teams  to  differentiate  between  legitimate  and  malicious  data  transfers.        

 

 

You can create dashboards to monitor non-compliant activity, such as sessions using non-secure MD5 and SHA-1 ciphers as shown here.

 

WHITE  PAPER  The  Business  Case  for  Network  Segmentation  

6  

Conclusion  As  you  prioritize  your  organization’s  IT  initiatives,  put  network  segmentation  at  the  top  of  the  list.  This  technology  not  only  dramatically  reduces  risk,  but  also  saves  money  by  simplifying  compliance  tasks  and  making  network  services  easier  to  provision  and  manage.  ExtraHop’s  visibility  supports  network  segmentation  projects  by  showing  you  how  applications  function,  ensuring  performance  during  changes,  and  ongoing  monitoring  for  security  and  operations.    

   

 

About  ExtraHop  ExtraHop  makes  real-­‐time  data-­‐driven  IT  operations  possible.  By  harnessing  the  power  of  wire  data  in  real  time,  network,  application,  security,  and  business  teams  make  faster,  more  accurate  decisions  that  optimize  performance  and  minimize  risk.  Hundreds  of  organizations,  including  Fortune  500  companies  such  as  Sony,  Lockheed  Martin,  Microsoft,  Adobe,  and  Google,  start  with  ExtraHop  to  discover,  observe,  analyze,  and  intelligently  act  on  all  data  in  flight  on-­‐premises  and  in  the  cloud.  

ExtraHop  Networks,  Inc.  520  Pike  Street,  Suite  1700    Seattle,  WA  98101  USA  www.extrahop.com