With this blog we answer the question, what is network segmentation? In simple terms, network segmentation is defined as the practice of dividing a larger network into several smaller subnetworks that are each isolated from one another to provide enhanced security.
Terms that you might hear in addition to network segmentation are “microsegmentation” or “micro-segmentation” – while slightly different, network segmentation and microsegmentation both focus on using high-level policy constructs to control the flow of traffic between network segments or application components based on granular security rules.
The Importance of Network Segmentation
Why has network segmentation become more important over the last few years? Well historically, security approaches have revolved around protecting the perimeter of the network with a firewall and other security tools like Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). This would often be a pair of firewalls surrounding a demilitarized zone, which provides a segregated environment between trusted and untrusted zones. However, simply zoning an entire network as ‘trusted’ creates a flat network environment that requires only a single network intrusion for an adversary to gain widespread access.
The challenge is that savvy attackers often figure out how to penetrate these firewalls or hide malware in seemingly valid network packets flowing into the enterprise. Once inside the corporate network, the attack can wreak havoc by moving laterally without restriction and gain access to valuable assets, such as customers’ personal information, corporate financial records, and highly confidential intellectual property or be in a position to take down customer services in exchange for ransom.
In a blog by CrowdStrike on lateral movement they claim the following:
“Once an attacker secures administrative privileges and gains deeper access into a network, malicious lateral movement can be very difficult to detect because it can appear to be “normal” network traffic.”
Thus, many organizations have begun to adopt a Zero Trust (coined by Forrester) strategy, which assumes nobody is trustworthy by default, even those already inside the network perimeter. Network segmentation is a key tool in implementing a Zero Trust strategy by separating out valuable data and assets into zones or segments that can be accessed only by users whose credentials can be verified. The perimeter around these network segments provides an additional layer of security to prevent or at least dramatically slow down an attacker from moving laterally inside the data center if they are able to make it past the perimeter defense. Network segmentation needs to be applied to both East-West traffic traveling inside the data center as well as North-South traffic exiting the data center.
New Approaches to Network Segmentation
Historically network segmentation was achieved via simple physical or logical constructs, both very complex endeavors which have led to a very low implementation rate of network segmentation. The physical approach focuses on deploying multiple firewalls for internal networking – very expensive and complex with thousands of firewall rules that are needed to segment internal networks. Logical segmentation was done with virtual local area networks (VLANs). The challenge with VLANs is that they are locally significant and therefore networks must often be re-architected to accommodate segmentation needs and configuration is highly manual requiring hundreds of policies/ACLs programmed onto each network switch one-by-one.
Leveraging SDN-Automated Overlays
A more modern approach to network segmentation leverages an SDN-automated network overlay. The network consists of physical switches referred to as the “underlay” as well as the network “overlay”, which is a software-based instantiation of the network consisting of VXLAN or GENEVE tunnels combined with distributed software-based switching and routing functions.
Typically, this overlay network is deployed as a fabric which means that it can be combined with software defined networking (SDN) to deliver centralized policy. What does that mean exactly? Well, instead of configuring lots of VLANs and policies on every switch one-by-one, the SDN controlled fabric now has global significance so that a VLAN or a policy can be deployed across all network switches with a single command yet with distributed enforcement. In other words, what network segmentation now becomes is something that is operationally scalable as it can be implemented with much less complexity and pain.
Implementing Modern Network Segmentation
There are two ways of building this SDN-automated overlay fabric:
- server-based tunnel termination (A.K.A. compute-based)
- switch-based tunnel termination.
Server-Based vs. Switch Based:
Effectively this is defined by where VXLAN Tunnel Endpoints (VTEPs) are hosted. In a server-based solution there is a networking stack terminating VXLAN tunnels running on each server node in the data center. The main advantage of the server-based solution is that East-West traffic segmentation and routing between segments can happen on a single host. In a switch-based overlay implementation, where tunnels are terminated on the switch, traffic that must be segmented needs to pass through the top of rack switch. However, on the other side of the equation, there are a number of significant disadvantages to server-based implementations.
Server-Based SDN Fabric Implementation
Some of the key issues with server-based SDN fabric implementations include:
- Complexity of Server Overlay: Server overlays create operational complexity on the network side as now there are two separate network operating systems (NOS) to manage the underlay and overlay. These typically operate as a ships in the night model.
- Requires Server Overlay Compute Resources: Server overlays require significant additional compute resources on every server, typically 16 GB RAM and 4-cores on every host.
- Per Host Licensing Fees: Server based solutions typically require a per host licensing fee in the thousands of dollars, so you are paying for this segmentation on every server.
- Dedicated Edge Nodes: Server overlays requires mandatory edge nodes (separate dedicated servers) acting as N-S routers/gateways to communicate with physical routers so traffic can exit the data center fabric. Each edge node needs 32 GB RAM, 8-C, 200G SSD
- Multiple SDN Controllers: Server based solutions typically need 3 SDN controllers at every So, for a multi-site datacenter with 3 locations that is 9 controllers and each controller also needs 16GB RAM and 4-cores and requires a license fee, further increasing complexity and expense, space and power consumption.
- Extending Segmentation Outside of the Data Center: A server-based solution cannot aggregate non-server-based devices such as wiring closet switches or IoT gateways or video cameras.
Switch-Based SDN Fabric Solution Implementation
Contrast this to the switch-based SDN fabric solution for network segmentation:
- Efficient Use of Hardware: A top of rack switch has to be deployed anyway for physical connectivity and comes with the built-in processing power, memory and packet processing ASIC to perform hardware-accelerated tunnel termination for VXLAN. No extra hardware is required for the switch or any of the servers.
- Minimal License Fees: A license fee might need to be paid per switch but not per server. Since there are typically 2 TOR switches per ~20 servers this is a massive cost reduction.
- Controllerless SDN: If the SDN implementation is controllerless, then there are no controllers needed at any site. In other words, at 3 sites there would be 0 controllers needed versus the 9 controllers for server-based approaches. Here is more on controllerless SDN.
- Communication with Physical Router: The top of rack switch or a border leaf switch can communicate natively to a physical router using standard underlay protocols, so no extra hardware is required for N-S traffic either.
- Extends Segmentation to Non-Server Devices: because the overlay endpoints are terminated in the switch, the switch can be deployed to aggregate non-server-based devices like wiring closet switches and IoT gateways, effectively extending the network segmentation from the data center into the campus network.
Service Providers and Multi-tenancy
Network segmentation is not just for enterprise use, but also for service providers delivering services to multiple tenants. Combining network service constructs such as distributed VRFs at layer 3 or bridge domains at layer 2 as logical functions instantiated completely in software in the overlay riding on top of VXLAN transport provides the ability to segment by tenant and then further segment the network underneath each tenant. Policies can be applied fabric wide per tenant allowing certain subnets to rout to each other and to express membership in certain groups with robust security, e.g. for a particular network service for service chaining for example. Read more: network segmentation used for multi-tenancy.
SDN and overlay fabrics create an abstraction from the underlying physical infrastructure and deploy centralized policy management with global significance but with distributed/local enforcement. This approach makes network segmentation operationally tenable and thus an essential tool to improve the security posture of enterprise and service providers. Switch-based SDN fabric implementations are a very cost-effective way to provide business-wide network segmentation while also bringing additional networking benefits including integrated network and application visibility, resource pooling, and, as aforementioned, SDN automation for all network tasks. Finally, a controllerless SDN solution used for segmentation provides the most cost-effective approach by eliminating costly controllers required at every location and can easily span multiple data center and campus locations.
To learn even more about what network segmentation is and how switch-based SDN fabrics can be used to deliver network segmentation click on our network and traffic segmentation solution or reach out to Pluribus Networks for demo.
Subscribe to our updates and be the first to hear about the latest blog posts, product announcements, thought leadership and other news and information from Pluribus Networks.
About the Author
Mike is Chief Marketing Officer of Pluribus Networks. Mike has over 20 years of marketing, product management and business development experience in the networking industry. Prior to joining Pluribus, Mike was VP of Global Marketing at Infinera, where he built a world class marketing team and helped drive revenue from $400M to over $800M. Prior to Infinera, Mike led product marketing across Cisco’s $6B service provider routing, switching and optical portfolio and launched iconic products such as the CRS and ASR routers. He has also held senior positions at Juniper Networks, Pacific Broadband and Motorola.