Micro-Segmentation & Zero Trust
Zero trust network access (ZTNA) is a network security approach where all devices are considered untrustworthy by default, regardless of their location. Also sometimes referred to as “perimeterless security,” ZTNA requires every transaction between entities on the network to be independently authenticated, authorized, and encrypted.Moving from more traditional security models to zero trust can be a daunting task. This is especially true for larger enterprises leveraging often complex combinations of network infrastructures, including on-premises applications and services, cloud-based services, and remote and distributed workforces.
Traditionally, networks have employed network segmentation to improve manageability as well as deploy and manage security services and policies between segments. Making these segments progressively smaller and designing micro-segments as part of the network is an ideal intermediary step for an enterprise seeking to migrate to a fully zero trust security model.
In this article, we’ll discuss segmentation, micro-segmentation, how the latter benefits the zero trust approach, and some of the challenges and best practices associated with this methodology.
Summary of Key Micro-Segmentation Concepts in Zero Trust
The following table summarizes the key concepts involved in micro-segmentation and its relation to the zero-trust security model.
Network Segmentation Design Principles
What is Network Segmentation?
Network segmentation is a design principle that has been used extensively for decades in the networking world. Separating large enterprise networks into smaller, more manageable segments is vital to ensuring ease of manageability and administration. It’s also important for employing security measures tailored to each individual segment.
The protocols and structures used to implement networks have been designed with segmentation as part of their operation. For example, the fundamental architecture of the IPv4 protocol is based on the ability to segment networks into subnets using the subnet mask. Similarly, IPv6 maintains this capability as a core component of its design. Virtual local area networks (VLANs) are used to segment networks at Layer 2, delivering smaller broadcast domains within which IPv4 and IPv6 subnets can operate.
In addition to other benefits, this approach to network design is of utmost importance for implementing security measures, offering greater flexibility in the application of security policies for each individual network segment. Indeed, security measures are typically employed at the border of each individual segment.
A well-known example of the segmentation principle that is often employed at the network edge is the demilitarized zone (DMZ), which seeks to use network segmentation to partition internet-facing services into a separate subnet. The following diagram shows an example of a DMZ:
Servers found in the DMZ must be reachable by users on the internet through the WAN router. Conversely, the hosts found within the LAN should not be accessible from the internet. The DMZ segment and the LAN segment have two different security policies that the firewall is able to employ individually for each segment.
Segmentation is crucial for employing security policies for traffic moving from one segment to another, thus safeguarding both the DMZ and the LAN against malicious attacks from the internet. However, it does not protect against malicious attackers or processes that may find themselves inside the DMZ or the LAN.
One way to mitigate against such attack vectors is to employ micro-segmentation.
What is Micro-Segmentation?
As its name suggests, micro-segmentation is achieved by creating smaller network segments. Doing so means that you are increasing the number of segments for any given network while simultaneously decreasing the size of each segment so that there are fewer devices within each.
The benefits of such an approach include the following:
Using IPv4, we can make smaller segments by subnetting our networks. Using a /27 subnet mask, for example, will deliver a network segment with 30 usable IPv4 addresses; /28 will give us 14; and /29 will give us six usable host addresses, thus limiting the number of hosts within each subnet to a small number.
How small can these segments be made? Well, if you take it to the extreme, you can create network segments with /30 subnets, where each segment contains only two hosts: the end device and the default gateway. Thus, each end device will exist within its own subnet or segment.
You may have noticed that a /30 subnet will actually provide for four IP addresses. ?Yes, this is the case, however, as with all IP subnets, the first and last addresses in the subnet are reserved for the network address and the broadcast address respectively, so there are only two usable host addresses in such a subnet.
Now, having said that, it is actually possible to use a /31 subnet for point-to-point links. Such a subnet has only two addresses, which under normal circumstances, would be the network and broadcast addresses, without any usable host addresses. ?However, as described in RFC 3021, it is possible to use such a subnet. Any device configured with a /31 subnet that supports the feature, will be able to operate normally in such a configuration.
IPv6 can also be configured to behave in the same manner using appropriate prefix values.
Micro-Segmentation in the Context of ZTNA
Micro-segmentation goes beyond merely creating smaller subnets. While it does involve dividing a network into smaller, isolated segments, its primary focus is on creating security policies for individual workloads, applications, or services. This involves implementing strict access controls and limiting communication between workloads to only those connections that are explicitly allowed.
In essence, micro-segmentation takes the segmentation of the network to a higher level associated with the OSI model. Instead of segmenting subnets, which is at the network level of the OSI model, we begin segmenting workloads, which is at the application level. A workload can be defined as any computational task, process, or service that runs on a computer or a group of computers within a network.
领英推荐
These micro-segments can be configured and managed using additional network mechanisms that can define and enforce much more granular security policies. This level of control provides enhanced security and adaptability across various environments, including on-premises, cloud, and hybrid infrastructures.
Technologies like SDN (software-defined networking) and NFV (network function virtualization) facilitate the creation of these types of micro-segments based on specific applications, services, or workloads. Container orchestration platforms can also contribute to micro-segmentation by isolating particular services and applications.
Implementing micro-segmentation of this kind in a traditional network doesn’t achieve the same level of security as ZTNA, but it does come several steps closer to the final destination, which is a fully ZTNA-enabled network.
Best Practices for Implementing Micro-Segmentation
Using Network-Centric Tools
NFV and SDN are two complementary technologies that can significantly aid in the implementation of micro-segmentation. They provide the flexibility, control, and automation required for automatically and dynamically creating and managing security policies.
NFV decouples network functions from dedicated hardware appliances and implements them as virtualized software components. This allows for greater flexibility, scalability, and cost efficiency in managing network functions. In the context of micro-segmentation, NFV can help in various ways:
Similarly, SDN separates the control plane (which is responsible for making decisions about how traffic is treated) from the data plane (which is responsible for forwarding traffic), enabling centralized and programmable control of the network. This allows for more dynamic, flexible, and efficient network management. In the context of micro-segmentation, SDN can help by doing the following:
By leveraging NFV and SDN technologies, organizations can more effectively implement micro-segmentation, creating dynamic security policies that adapt to their specific needs and ensuring a higher level of protection for their workloads, applications, and services.
Application-Based Tools
Container orchestration platforms are also involved in the application of micro-segmentation. These platforms use mechanisms to implement micro-segmentation within containerized environments. An example of such a platform is Kubernetes; in this section, we’ll use it as an example of how micro-segmentation can be achieved within an orchestration platform.
Kubernetes manages the deployment, scaling, and operation of containerized applications, which are grouped into units called “pods.” Micro-segmentation in Kubernetes focuses on controlling and isolating network traffic among these pods using various methods and approaches, including the following:
Micro-Segmentation Challenges
As is the case with all types of technologies, implementing micro-segmentation is not without its challenges. Some of the most significant that you may face include concerns in the following areas:
Remember that we are approaching micro-segmentation as an intermediary step to reaching a fully ZTNA-enabled network security implementation. As such, micro-segmentation is a single, albeit significant, step in the migration and transition process. Moving from a traditional network architecture to an intermediate micro-segmented model can be complex and disruptive if not done correctly, and it may require significant changes to the network configuration and operational processes as well as staff training and adaptation.
To address these challenges, organizations should carefully plan their micro-segmentation and ZTNA migration strategies, invest in the necessary tools and technologies, and involve experts with the required skills and experience. Additionally, ongoing monitoring, management, and periodic reviews of the micro-segmentation implementation can help ensure that it continues to meet the organization’s security and performance goals.
ZTNA Beyond Micro-Segmentation
Micro-segmentation serves as an intermediary step between traditional network security and ZTNA by introducing granular access controls and enhanced security measures that go beyond traditional perimeter-based defenses. While not as comprehensive as ZTNA, micro-segmentation does bring us closer to realizing a fully ZTNA network. However, it is essential to note that it does not entirely cover the ZTNA principles.
To achieve true ZTNA, organizations need to further extend security policies and access controls, considering user roles and authentication, device posture, and continuous evaluation of trust, among other factors. Cyberight's ZTMesh solution offers a streamlined ZTNA approach to achieve this as part of an incremental deployment strategy, allowing for the phasing out of potentially complex micro-segmentation strategies.
Nonetheless, micro-segmentation serves as a valuable stepping stone toward implementing ZTNA by introducing more robust and detailed security measures within the network.
Last Thoughts on Micro-Segmentation Zero Trust
Micro-segmentation is a crucial component of a migration strategy to achieve fully realized ZTNA. By dividing the network into smaller, isolated segments based on individual workloads, services, or applications, micro-segmentation enhances security and control through strict access and communication restrictions. Technologies such as SDN, NFV, and container orchestration platforms like Kubernetes enable the implementation of granular security policies, providing a foundation for ZTNA. This approach of isolating and securing every node and individual workload paves the way towards a ZTNA reality, wherein all network transactions are authenticated and encrypted, further bolstering the network’s security posture.
This article was originally published at: https://cyberight.com/zero-trust-pillars/micro-segmentation-zero-trust