Navigating the Challenges of Network Segmentation and Microsegmentation Without Disrupting Operations
Network segmentation offers many benefits for businesses. Segmentation improves security by preventing attacks from spreading across a network and infiltrating unprotected devices. In the event of an attack, segmentation ensures that malware cannot spread into other business systems. Network segmentation also reduces congestion that often results in performance drop-off. This is particularly important to resource-intensive services like power plants, factories, water treatment systems, oil rigs and other industrial environments.
Network segmentation can be especially tricky in an OT environment due to the risk of accidently impacting a production process during the segmentation process. In an IT environment, losing a device temporarily may have little business impact, but for OT environments, going offline can have enormous negative consequences. The challenges can multiply when attempting to segment an environment that features devices from multiple vendors. However, with the right tools and processes in place, it is possible to not only successfully segment your network but divide the network even further to reap the additional advantages of microsegmentation.
What is Network Segmentation?
Segmentation is an architectural approach that divides a network into multiple smaller segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies. With network segmentation, businesses can prevent unauthorized users from gaining access to their most valuable industrial assets, such as human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs). These assets are located within an organization’s operational technology (OT) or industrial control system (ICS) environments, which means it is vital to secure all locations against cyberattacks.
Segmentation can be achieved by physical separation using a firewall or router, logical separation, or both, depending on the specific instance. Virtual LANs (VLANs) are typically used to provide the basic segmentation functionality.
What is Network Microsegmentation?
Microsegmentation is a network security technique that enables security architects to further segment an environment for lateral visibility of all assets in the same broadcast domain. Granularity is achieved by logically dividing the network environment into distinct security segments down to the individual workload level. Because policies are applied to individual workloads, microsegmentation offers enhanced resistance to attacks, and if a breach does occur, limits a hacker’s ability to move between compromised applications.
What are the Differences between Network Segmentation and Microsegmentation?
Segmentation and Microsegmentation of networks vary in several key ways, including what level it affects, the amount of policy granularity that is possible, and how much visibility and control there is of network traffic.
|Perimeter level; operates across zones and subnets||Controls lateral movement across hosts|
|Coarse policies||Granular policies|
|Visibility and control of north-south traffic||Visibility and control of both north-south and east-west traffic|
Steps to Segmenting Your Network
The foundation of segmentation is a network and endpoint discovery followed by endpoint classification. It’s nearly impossible to control what you don’t know exists on your environment, which is why the first step to your journey should be identifying what you have in your environment.
FortiNACTM is Fortinet’s network access control solution that enhances the Security Fabric with visibility, control, and automated response for everything that connects to the network. It allows you to easily perform the three steps needed to start the segmentation process.
FortiNAC offers the built-in ability to discover over 3,000 unique wired, wireless, and VPN products. The FortiNAC server has all the information to identify those devices, manage those devices, and identify what’s connected to those devices. To get started with FortiNAC, you either deploy a physical virtual appliance on premise, or you can deploy that in the cloud. As long as the FortiNAC appliance has IP connectivity to your environment — your environment being your managed switches, managed wireless, VPN, firewalls, and routers — then you can see all of that infrastructure from a centralized location.
The second step after the network discovery is the endpoint discovery, using the infrastructure revealed in Step 1 to now tell us what’s plugged in. The switch environment, reading the MAC address table, is the primary mechanism for determining what’s plugged in. Using FortiNAC, it’s possible to get the MAC address, the switch, and the port. If it’s wireless, we know what SSID someone’s connecting on. At this point in the process, every endpoint device is initially identified as a “rogue device”, but the MAC and IP addresses have been identified for each endpoint.
Step three in this process is endpoint classification and profiling. Before you try to segment anything by putting it in a VLAN, you must accurately identify each device. The classification piece of this process primarily leverages active and passing profiling rules. Because OT environments typically can’t afford the risk of device failure that comes with active scanning, FortiNAC offers 21 passive methods of device profiling. In addition to passive scanning, FortiNAC can perform smart active scans — using additional information such as the IP address or vendor Organizational Unique Identifier (OUI)— that help limited the risk of overwhelming any OT device. Once all endpoints have been successfully classified, segmentation and/or microsegmentation can begin.