alex_aldo - Fotolia
How a network segmentation strategy works with SD-WAN
Legacy segmentation techniques are often unwieldy. But, as enterprises contemplate network segmentation with SD-WAN, they must understand their network environments and goals.
Software-defined WAN has ushered in a new focus on network segmentation and security. All major SD-WAN vendors include some form of network segmentation in their products, touting the technique as a way to address security and path isolation.
A proper network segmentation strategy requires that companies forge a solid understanding of both their systems and goals. SD-WAN vendors have their own definitions of network segmentation, and no single supplier has a cohesive segmentation strategy that will holistically address your organization's segmentation needs. Myriad segmentation considerations are likely to arise -- from authentication and authorization to managing security roles and policies -- and research is critical.
Legacy segmentation techniques are cumbersome
Network teams have traditionally segmented networks by using a variety of tools to create path isolation in different processes. Various tag routing schemes or virtualized routing instances were common, as were security access control lists (ACLs). Almost all methods worked somewhere in Layer 2 through Layer 4, and most were cumbersome and labor-intensive to implement and manage.
Isolation didn't rely on identity; rather it was based on the location of the IP address. That method worked in the days when one machine ran one service or one user sat at one endpoint device, but those days have passed. Now, we have multiple services at an endpoint, and services dynamically move or scale in response to myriad stimuli. Isolation based strictly on an IP address is no longer sufficient or scalable.
Security was rudimentary, based on either identity or location, and managed by ACLs that quickly became unwieldy at even minor volumes. Enforcing machine and application security was no better. Tracking who should have access to what became an exercise in futility, and mistakes in security access precedence were common. No wonder a new segmentation approach emerged.
Network segmentation and SD-WAN
At its core, network segmentation aims to keep a process from laterally traversing the network. In other words, a user's instance of a word processor has no reason to access a database on another user's system. Likewise, a front-end system programmed to access a single database has no need to talk to other systems across the network. A good segmentation strategy isolates processes to just those components and systems they need to access.
One hurdle associated with a network segmentation strategy is sorting through the various segmentation tools offered by SD-WAN vendors. Some vendors take a more network-centric approach, relying on path isolation and segmentation at Layers 3 and 4; some take a more application-centric, Layer 7 approach; and others segment using a blend of technologies at different layers. All aim for the same thing, however, which is to establish a security barrier between system and user processes.
Security breaches are common these days, occurring with alarming frequency. Security controls should, therefore, be of paramount concern when choosing any SD-WAN product. It's not enough to segment the network statically. A good SD-WAN platform must audit and respond to security events in near-real time, while simultaneously mitigating any damage that may occur from a breach.
Other key enterprise segmentation features include the following:
- automated deployment;
- support for path isolation; and
- an access and authorization strategy -- ideally, using a dedicated secrets vault.
Moving a traditionally nonsegmented network to one built upon a highly segmented design requires significant forethought and solid knowledge of business requirements. Segmenting for the sake of doing something new is not a good reason to deploy a segmentation strategy. No single vendor has a complete network segmentation strategy. Enterprise network teams can overcome the challenge of stitching together multiple disparate products only by understanding their current network and why they want to segment it.