Over the past few years, the stories of security breaches at large enterprises such as Sony, Target, and Home Depot have been making headlines. Many of my clients ask how this could happen to these organizations, what with their multi-million dollar IT budgets and substantial resources. The answer is both simple and complex at the same time. Allow me to explain...
These organizations are continually balancing their investment in technology and the cost of operating that technology, often on a daily basis. They try to minimize the complexity of their networks wherever possible, but unfortunately, minimizing complexity often results in decreased security; in particular, it results in a reduction of network segmentation, the act of splitting a computer network into subnetworks for the benefits of improved performance and security.
When considering security in an ideal world, a network would be designed so that every endpoint would be its own network segment -- some security experts call this "hyper-segmentation." With traditional networking technologies, this would be good for security, but not necessarily for the business or network operations.
Traditional networking uses VLANs (Virtual Local Area Networks) and protocols such as MPLS (Multiprotocol Label Switching) to segment the network and isolate subsets of network users, services, and devices into different zones. The complexity of managing the network increases as additional zones need to be configured on each node (switch, firewall, etc.) of the network. Complexity only continues to grow as more systems are added to the network, especially with the introduction of Internet of Things (IoT) devices, such as HVAC, physical security, and other sensor-based systems.
The result is that many enterprises with traditional networking approaches have simplified their network segmentation to reduce operational costs. This is contrary to the good practices in IT security frameworks such as ISO 27002, PCI, CoBIT, and NIST, but it's often still preferred to reduce complexity.
To go back to my earlier examples of the security breaches at Home Depot and Target, as these cases were unravelled it became clear that the lack of network segmentation contributed significantly to the breaches. These breaches exposed millions of credit card transactions to the hackers and wound up costing these organizations hundreds of millions of dollars in lawsuits, penalties, and remediation.
Larger organizations such as these typically have multiple sites that are connected by single logical MPLS or VPN links, a common architecture that makes network segmentation challenging across sites. To enable network segmentation, multiple security zones need to be managed across these links.
The good news is that several networking vendors saw the need for network segmentation and management simplification and started working on these issues over a decade ago. The solution in general is often referred to as network virtualization. Network virtualization has been designed with the intelligence to virtually eliminate human error during configuration, capable of nearly infinite network segmentation.
There are two advanced network segmentation technologies or approaches to address these scenarios: Dynamic BGP with GRE Tunnels and Shortest Path Bridging (SPB/IEEE 802.1aq).
The first approach, dynamic BGP with GRE tunnels, adds another logical layer 3 network on top of the inter-site layer 3 network links using GRE tunnels and dynamic BGP routing. This approach is complicated, requiring a high degree of skill to manage the many protocols involved. As the scale of the enterprise and number of sites grows, managing this approach becomes increasingly complex. Therefore, BGP with GRE tunnels is feasible for smaller deployments but would not be practical to handle the requirements of enterprise network segmentation.
A better alternative is the second approach I mentioned, Shortest Path Bridging (SPB) -- something relatively unknown and representing a complete rewrite of networking technology of the past 25 years. SPB replaces the traditional networking stack of over 20 traditional networking protocols and simplifies them into one protocol in one layer. SPB can provide millions of network segments, both between and within sites. This drastically simplifies the network segmentation security problem by allowing security zones to easily span sites using SPB, over the top of service provider links such as MPLS or preferably VPLS. SPB was designed to scale to carrier networks, and it also allows enterprise networks to be deployed with multiple active paths.
While enhancements in network virtualization were being made, it became clear that there was also a need to improve the sophistication and virtualization of firewalls to enable the network segment isolation and routing required to secure these enhanced networks. New firewall appliances have entered the marketplace based on software (instead of hardware) with significantly higher processing capacity than their predecessors. This enables enterprise networks to be segmented to support security while maintaining network performance with centralized security management.
Costs are coming down for an enterprise to deliver the improved security of hyper-segmentation, making it conducive to today's business, security, and IT operational requirements. The security breaches experienced by Home Depot and Target can be avoided, but it is going to require a shift in mindset by network architects as they need to incorporate Shortest Path Bridging (SPB) and next-generation firewalls into the network design from the ground up. For my credit card's sake, I hope the shift happens quickly.
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.
Learn more about systems management and network design trends and technologies at Enterprise Connect 2017, March 27 to 30, in Orlando, Fla. View the Systems Management & Network Design track, and register now using the code NOJITTER to receive $300 off an Entire Event pass or a free Expo Plus pass.
