There is a new kind of disaster that is currently striking all our agencies—cyber disaster. Unlike natural disasters, man-made disasters are avoidable. Like other man-made disasters, we need to find a way to prevent cyber disasters. While people often think of security as just the tools used to protect the network, it’s not about that any more. It’s about protecting our agencies, organizations, corporations, and our very way of life.
For years, people have been using segmentation as one of the most important security measures. Traffic is segmented based on the nature of the data, type of traffic, source and destination, and other features. The idea is that if someone gains access to your network, segmentation creates a dead end. The attacker can see the segment but not the rest of the network. Experts say traditional segmentation is not granular enough, and isolating traffic is a time consuming and error prone process. Organizations historically have segmented North-South traffic. More recently, network admins have begun segmenting more East-West traffic as well. But with the growth of BYOD, IoT, and the expansion of distributed servers, IT security has not been able to keep up.
A traditional perimeter is no longer adequate, and even defense-in-depth is not working. Many experts feel that micro-segmentation is a new strategy we should employ. In my last CTOvision article I gave an overview of micro-segmentation and what a number of vendors are doing in the space. Micro-segmentation typically leverages SDN and automation to facilitate East-West segmentation, ultimately making the network more secure.
Following that article, many readers asked how data center segmentation was going to deal with the threat of exponentially increasing end-points. Not only has our attack surface increased, many of the devices we expect to be outside our network are now inside our perimeter. When devices are compromised inside our network, the threat vector is multiplied.
Avaya is the company that is synonymous with telephony. After spinning off from Lucent Technologies and AT&T, Avaya became the experts in SIP, Internet telephony, unified communications and collaboration (UCC) and all thing VOIP. After the demise of Nortel, Avaya acquired their enterprise solutions division, making them the leader in the telephony space.
Avaya is not the first company you think of when it comes to networking, but they are a big supporter of OpenFlow and software defined networking (SDN). Their SDN Fx solution is testament to that. SDN Fx is the underlying technology that supports Hyper-segmentation, Native Stealth and Automatic Elasticity, all of which provide enterprises with more speed, flexibility and security.
Avaya contacted me about how their Hyper-segmentation solution not only protected the data center, but addressed the ‘endpoint’ problem, providing an end-to-end solution for threat protection. Hyper-segmentation? That seemed like just a marketing term to me. What was next, I thought, nano-segmentation? So, Avaya’s media relations manager Peter Collins arranged an interview for me, so I could understand exactly what hyper-segmentation is, and how it can make networks more secure.
I spoke with Randy Cross, Senior Director of Fabrics & Infrastructure at Avaya. He started by explaining to me that Hyper-segmentation was not meant to replace existing security solutions like a traditional firewall, NextGen firewalls, IDS/IPS, anti-virus or malware solutions. He further explained that Hyper-segmentation was significantly different from other solutions in that it works from the edge in. Rather than creating specific segments for specific applications or servers, the solution automatically creates new segments for every device or endpoint. Each endpoint has its own fully isolated path to a specific application on a server.
Public or private, the only thing that a user sees is their own individual traffic to that specific application. There are no ACLs to setup, no firewall rules to configure. The fabric handles it all. Everything else on the network is invisible to that user. If an attacker were to compromise the session, they would only see what that user sees on that completely isolated segment.
Your own toll free lane
Randy explained to me that it was like driving on the freeway. When you get on the on-ramp, you are surrounded by all the other cars in the four lanes of traffic. Everybody may be headed to a different destination, but everyone can see each other. Furthermore, there is also nothing preventing you from going to a different destination and getting off at a different exit.
With hyper-segmentation, you get on the on-ramp to a dedicated toll road, where you are the only car on the road. Your isolated road leads directly to your destination, with no off-ramps. No one can see you, and you can’t see anyone else. But more importantly you can’t get off at any other destination than your own.
How it works
Looking at the diagram, we see that every time a device connects to the network, a profile tells the fabric how to connect. Then, a pathway is setup from the device to the destination application. This pathway is a fully isolated segment. When the session is done, the pathway is automatically torn down, but the profile of the device is retained. When the device reconnects from the same or a different location, a new segment is automatically created.
Open Network Adapter (ONA)
Auto Fabric Connect is great for desktop, laptops, tablets and phones, but what about unique endpoints like medical imaging equipment, video devices, or specialty printers? Randy explained that to have a secure network, you must protect 100% of your devices. “This is why we built the ONA. It is not required for normal devices” he said. “The ONA is a small adapter about the size of a deck of cards that is enabled with an Open vSwitch.” He explained that ONA allows these special devices to act just like regular network devices and connect automatically to the fabric with their own isolated path. Once they are fitted with the adapter, their session can be set up, automatically torn down, and re-established automatically, even if moved to a new location.
Hyper-segmentation is not just about easily creating network segments, it’s about segmenting every endpoint to its destination.
Benefits of Hyper-segmentation
The clear driver for hyper-segmentation is security. When a network segment is infiltrated, the attacker is at a dead end. But hyper-segmentation provides other benefits: speed and flexibility. Avaya uses SDN and Openflow as a means to an end. Their fabric connect provides a simple ubiquitous layer 2 network, where every device can connect to its end source effortlessly. Fabric Connect or IEEE 802.1aq can reduce or eliminate the need for any other layer 2/3 protocols like RIP, Spanning Tree, OSPF, BGP or even MPLS, reducing overhead on the network.
On a practical level, agencies don’t have to build out different networks with VLAN tagging, domain stitching or MPLS. The fabric connect control plane allows hyper-segmentation to extend from every device to the destination (app/server) in the data center.
Hyper-segmentation has one other benefit: it makes existing security tools more effective. When a hyper-segment is breached, security tools can quickly identify the rogue software or intruder because they don’t have to sift through thousands of object identifiers or terabytes of data.
Cyber-attacks have become the greatest threat against our nation. We need every tool we can muster to make our defenses strong. Segmentation has worked for years. Now Avaya has taken this strategy to the next level by segmenting every endpoint. To me, Hyper-segmentation delivers on the promise of Identity as the new perimeter.
- Presenting Tech To Decision Makers: Be Bold, Be Brief, Be Gone…. - February 14, 2017
- Seven Trends and Predictions for 2017 - January 21, 2017
- Hyper-segmentation – How to Avoid Cyber Disasters - November 2, 2016