Software-defined WAN has ushered in a new focus on network segmentation and security. All the major SD-WAN vendors include some form of network segmentation in their products, promoting the technique as a way of addressing security and path isolation.
A proper network segmentation strategy requires companies to have a solid understanding of their systems and objectives. SD-WAN vendors have their own definitions of network segmentation and no vendor has a cohesive segmentation strategy that holistically meets an organization's needs.
Numerous segmentation considerations are likely to arise - from authentication and authorization to role management and security policies, so the critical need for research is key to creating an efficient network segmentation strategy using SD-WAN.
Legacy segmentation techniques have always been a major challenge
Network teams have traditionally segmented networks using a variety of tools to create path isolation in different processes. Various tag routing schemes or instances of virtualized routing were common, as were security access control lists (ACLs).
Almost all of the methods worked somewhere between Layer 2 and Layer 4, and most were complicated and laborious to implement and manage.
Isolation didn't depend on identity, instead it was based on the location of the IP address. This method worked in the days when a machine ran a service or a user was on an endpoint device, but those days are long gone.
We now have several services on a terminal, and the services move or scale dynamically in response to a myriad of stimuli. Isolation based strictly on an IP address is no longer sufficient or scalable.
In addition, security was rudimentary, based on identity or location, and managed by ACLs that quickly became difficult to control even on smaller volumes.
Enforcing machine and application security was no better. Tracking who should have access to what became an exercise in futility and mistakes in security access precedence were commonplace. No wonder a new approach to segmentation emerged.
Network segmentation and SD-WAN
In essence, network segmentation aims to prevent a process from crossing the network laterally. In other words, one user's instance of a word processor has no reason to access a database on another user's system.
In the same way, a front-end system programmed to access a single database doesn't need to communicate with other systems on the network. A good segmentation strategy isolates processes only to the components and systems they need to access.
One obstacle associated with a network segmentation strategy is sorting out the various segmentation tools offered by SD-WAN vendors.
Some vendors take a more network-centric approach, relying on isolation and path segmentation at Layers 3 and 4, some take a more application-centric approach from Layer 7, and others segment using a combination of technologies at different layers.
They all aim to achieve the same thing, but the goal is to establish a security barrier between the system and the user's processes.
Security incidents are commonplace these days, occurring with alarming frequency. Security controls should therefore be a primary concern when choosing any SD-WAN product.
It's not enough to segment the network statically. A good SD-WAN platform must audit and respond to security events in near real time, while mitigating any damage that could occur in a breach.
Other important business segmentation features include the following:
- Automated deployment;
- Support for path isolation;
- An access and authorization strategy.
Moving from a traditionally unsegmented network to one built on a highly segmented design requires significant foresight and a solid understanding of business requirements.
Segmenting to do something new is not a good reason to implement a segmentation strategy. No supplier has a complete network segmentation strategy.
Corporate network teams can overcome the challenge of uniting several different products just by understanding their current network and why they want to segment it.
About Conversys
Conversys IT Solutions is a provider of Information and Communication Technology services and solutions operating throughout Brazil.
With a highly qualified technical and commercial team and a network of partners that includes the main global technology manufacturers, Conversys IT Solutions is able to deliver customized IT and Telecom Infrastructure solutions to clients.
We invest in our employees and partners and strive for a long-lasting relationship with our clients, because we believe that this is how we gain the skills and knowledge we need to innovate and generate value for the businesses in which we operate.
