Issue: | North America I 2015 | |
Article no.: | 10 | |
Topic: | Containing security breaches with networking | |
Author: | Ramesh Prabagaran | |
Title: | VP, Product Management | |
Organisation: | Viptela | |
PDF size: | 223KB |
About author
Ramesh Prabagaran is VP of Product Management at Viptela, a provider of Software-Defined WAN technology. He is a veteran of the networking industry with a deep understanding of large enterprise and Global Tier-1 service provider networks. Previously, at Juniper Networks, he brought several groundbreaking enterprise-routing products to market.
Article abstract
Using credentials stolen from a subcontractor, intruders are able to get enough access to the target system to upload executable files, which allows them to find customer credit card files from a point-of-sale system, that was not itself directly connected to the Internet.
If network segmentation had been in place, the attackers would only have been able to get at data and functions authorized for use by that subcontractor within the Target network. The attack would automatically have been quarantined, since the attackers could not have even seen the rest of the network.
Full Article
Most buildings have firestops, to prevent fires from spreading through the holes in the walls around utility conduits.
Likewise, ships have double bottoms and water-tight bulkheads, to confine incoming water to one compartment if there is a leak.
So why don’t enterprise networks have a similar architecture for preventing security breaches?
Of course, there is an equivalent form of protection available, called network segmentation. Typically, it’s absent. As a result, once an intrusion occurs attackers can move about unfettered, with full access to internal systems unimpeded by any internal barriers.
The benefits are clear
Indeed, the lack of segmentation means that a serious breach can actually begin outside an enterprise’s network. In case of Target Corp., the data breach of late 2013 reportedly resulted from the penetration of the system of a Target subcontractor, via a phishing email. Using credentials stolen from the subcontractor, intruders were able to get enough access to the Target system to upload executable files, which let them find customer credit card files from a point-of-sale system that was not itself directly connected to the Internet. Certainly, it was data unconnected with the subcontractor, whose access was for electronic billing, contract submission, and project management.
If network segmentation had been in place, the attackers would only have been able to get at data and functions authorized for use by that subcontractor within the Target network. The attack would automatically have been quarantined, since the attackers could not have even seen the rest of the network.
But even in the absence of a data breach, the benefits of segmentation can be broad. For instance, guest Wi-Fi access can be quarantined from the rest of the network, so that someone sitting in the lobby can’t access sensitive information. Bandwidth for low-priority data, such as commands to digital signs or video feeds from DVRs used for training, can be routed separately from mission-critical data.
Better yet, the network can be segmented along lines of business rather than geographically, so that the network’s architecture hinges on the organization chart rather than office locations. With line-of-business segmentation, different departments cannot access each other’s data, IT maintenance and support can occur (and be budgeted) along departmental lines—and an intrusion in one department can’t spill over into another.
Segmentation can make compliance with regulations like HIPAA and PCI-DSS easier to accomplish, and easier to document. Segmentation can also be used to wall off systems that are being tested or evaluated. If multiple tenants are using a facility, segmentation is a natural answer. And, as mentioned, subcontractors and other business partners can be integrated into the network as deeply as desired, while remaining isolated otherwise.
Perhaps best of all, BYOD users can be walled off. The rest of the enterprise can be spared the results of their mistakes and carelessness, and an infection on an employee’s home laptop is not necessarily a headache for IT or a danger to the whole enterprise.
Why segmentation across the WAN is hard
Segmentation within a single site is straightforward using either physical separation or virtual local area networks (VLANs). However, once traffic leaves the site and enters the enterprise WAN, the segmentation is lost and other methods must be used.
Traditionally, segmentation across a WAN has been maintained by using either virtual routing and forwarding (VRF), a virtual private network (VPN) or some similar arrangement where the segmentation information is carried in the data traffic. The VRF option lacks scalability, as policy enforcement becomes complex and change control becomes difficult as the system expands. VPNs, meanwhile, can be costly and complex.
Today’s network: A single logical segment
The SD-WAN alternative
A simple, straightforward way to impose WAN-level segmentation is needed, Software-defined WAN (SD-WAN) is the best answer: integrating routing, security, centralized policies, and network management with end-to-end segmentation. No additional mechanisms or protocols are required. Indeed SD-WAN can be added to an existing network without modifying the devices it contains.
SD-WAN management policies can be used to control, in real time, which specific network segments can access specific locations. This can be used to prevent attacks on remote sites, or to isolate the result of an attack on a remote site. This is especially important for enterprises with multiple satellite offices (such as bank branches) that are reached through the public internet and therefore are more exposed.
Insert “After” Diagram: SD-WAN-based Network with End-to-end segments
Similar policies can be used to divert traffic from BYOD users through scrubbers before their data is allowed onto the main network. Their email, arriving unfiltered from public sites, can be automatically cleaned.
Segmentation policies can also be used to enhance performance. For instance, segments with interactive voice and video can be sent over low-latency routes. Revenue-generating traffic can be routed over circuits with high-availability service-level agreements. Guest Wi-Fi traffic, on the other hand, can be routed over the least-expensive circuits.
Finally, the SD-WAN can not only segment information, but also communicate it to all relevant points in the network without external mechanisms or additional protocols, an advantage that simplifies network design.
Today’s enterprises face skilled attackers who are increasingly able to penetrate or bypass perimeter defenses and breach an enterprise’s network, often without being detected for significant periods of time. No single response is adequate anymore. But if there’s a breach, the use of network segmentation can mean that fewer letters of apology have to be sent to customers after their credit card numbers are stolen.
With the Target case, that amounted to about 40 million.