This story from a colleague is so funny…you just can’t make this stuff up!
“The other day my “smart” refrigerator was talking to my laptop trying to figure out my calendar, so it could remind me that we’re out of something on the third shelf. It somehow got into a loop, and was cross-talking with my streaming audio on my home system interface with Google. That slowed down the network so that my video streaming on my “smart television” was sluggish; and both the movie in my daughter’s room and the football game in the den were almost unwatchable. Oh well, welcome to the Internet of Things, and to the complicated networks competing for bandwidth!”
By way of this example, you can readily see the challenge of getting work done using home internet connections if the network is “flat”, with any and all devices talking without any prioritization. This type of network design is without any physical or logical segmentation, and without prioritization pointing out the impact that the Internet of Things (IoT) is having on our private and public networks! It’s not just on our home networks either, it’s everywhere, including our customer’s data centers and remote locations!
Segmentation is the division of the physical and logical network connections in a computing and storage environment. If done properly, it will allow the devices and applications that need to “talk” with each other. This, they can do securely and without impact to the other applications or devices that also need their own network security and prioritization. In today’s networks, segmentation is best accomplished with software defined environments (SDN), but may still be done in the traditional way, with lots of firewalls and “closed” circuits, that are not open Internet connections. There are many ways to accomplish the types of segmentation that your company needs, with or without SDN.
You’ve probably all heard of segmentation; it’s been around since local area networks and wide area networks came into being. Here are a few of the types that are most common, as described by several of the business partners with whom I work with on the subject.
- Physical or Environmental Level – Traditional segmentation uses network elements, such as firewalls, private circuits, physical division of computing systems, and isolation, to specific ports on the network with limited access.
- Locational Level – This is segmentation based on having everything for a computing environment in one physical location, such as a cloud or data center, with limited access through a specific port on a firewall.
- Application Level – Also known in the security world as “ring-fencing,” this type of segmentation involves firewalls, routers, or switches with specific configurations of virtual local area networks (VLANs), and is defined to separate application data flows, even within the same platform or device.
- Tier or Tiered Level – This type separates the tiers of an application, perhaps it has a web interface, a database, and an application set of programs, and tiering the access to each layer can deter any “bad guys” from going from one tier to another.
- Workload Level – Also known as micro-segmentation, a very fine-grained segmentation is most useful to protect high-value assets where restricting attacker movements is particularly important; it is accomplished via policy-based software definitions and enforced by ensuring all ports in the network only work through these policy definitions.
- Process and Service Level – Also known as nano-segmentation, it is even more fine-grained than those mentioned above, and is the common way in which segmentation is accomplished in container applications and subsystems.
There are more segmentation types being coined by specific vendors and applications, and to all of us out there, it may seem a bit complicated. Segmentation can even be embedded into applications so that they are platform independent, and end-user isolation to specific users, on specific systems, are often done.
Frequently, we’re not sure which type works best in our business, or with the size of computing systems we have in place. Many of us also have stringent audit requirements from either internal or external auditors. But, with the complex environments in which we find ourselves these days, along with the ominous security threats we read about daily, we know we need something to ensure that we are protected.
Mainline has a great security and network practice, with network platforms and services to help our customers find the right type of segmentation to match their requirements. If you’d like more information on our team and services, check us out at this website. We’ll be able to help “white board” your issues, and to find the right solution and level of segmentation for your business.
Please contact your Mainline Account Executive directly, or click here to contact us with any questions.