For many years, city planners built elevated highways. It was their way of bypassing congested surface arteries without digging up neighborhoods. But over time, the planners found that elevated highways didn’t improve conditions — they instead made them worse.
Virtual networks (VLANs) and outdated micro-segmentation strategies are like elevated highways, as they’ve created more problems for network engineers. Complicated overlays make networks difficult to manage and lack the fabric-wide security that’s needed to protect critical data.
Hypersegmentation redefines the process of segmenting and securing network traffic, making it a better solution for protecting a network from cyberattacks. Instead of overlaying inefficient tunneling technologies, it uses an intelligent, simplified, software-defined approach to network segmentation. Hypersegmentation applies intelligent, dynamic encryption to each session, authenticating as it moves within and between networks. Administrators apply universal route policies to sessions going through firewalls to other networks and can enforce rate and bandwidth constraints on each session.
Traditional network segmentation is zone-based, defining users into trusted and untrusted zones and providing many security layers within that network or subnetwork. To go between zones requires going through a firewall, which requires an explicit policy to allow the IP traffic through. The firewalls control the so-called “north/south” movement of network traffic bin to and out of the zone and allow “any-to-any” communication within a segment.
Outfitting a network with hypersegmentation begins by first defining all the services, resources, and devices a network supports. Administrators provide access to these services to tenants, which represents a collection of users and their devices that share common policies. Services represent specific applications that a network delivers and to which tenants have access. The umbrella under which tenants and services exist, along with security properties such as authentication and encryption keys, is known as an authority, or administrative domain.
For example, CRM users can access the applications they need from any location, but they’re restricted from accessing other applications that share the network. Since hypersegmentation uses virtual routers, the implementation cost is much lower. It’s also far more secure.
As opposed to overlaying technology, hypersegmentation creates a new, virtual street map that makes it easy to apply security policies on an application basis. This is made possible by software-defined network (SDN) technology that segments networks based on how users access them while ignoring the actual physical location or endpoint type. This top-down design ensures resources are provided only to the users who need them. For instance, a sales manager may be a member of the sales tenant and have access to the CRM service, but not the ERP service, while all users may be members of the enterprise tenant with access to the voice services.
Maintaining and protecting old technology is often more expensive, not to mention more time-consuming, than buying something new. That’s what city planners realized when they started building elevated highways. It’s also true for overlay networks. Hypersegmentation provides a better way forward, driving the cost, complexity, and hassle out of network design and bringing better security with it.