Path to agentless segmentation through WAN connectivity evolution
In the early 1990s, organizations spent millions on point-to-point wide-area connections. These point connections were expensive and only served as single connection access between two locations. Once organizations moved their workforce globally, point-to-point connections became obsolete and quickly were replaced by carrier-based frame relay clouds.
MCI, AT&T, UUNET and other carriers offer frame relay as means to mesh corporate locations together through a virtual cloud. This cloud configuration was unique to this specific organization, They were not used for public access. The frame relay network requires a DSU/CSU controller for connectivity and a router, i.e.: the Cisco 2500 device to handle the layer 3 routing between the locations. Each external interface facing the frame relay network needed to be on the same subnet mask and IP network at layer 3. Routing between the remote locations back to the corporate data center became a reality through the hub and spoke architecture. In time, some locations actually designed a fully mesh frame relay, allowing for remote offices to bypass the hub data center and communicate directly with other remote locations. Frame relay proved to be a cost- savings compared to point-to-point circuits. While the frame mesh proved to be cost-effective and easy to maintain, the topology lacked several capabilities needed once organizations began moving applications and services to the Internet.
From Frame to MPLS to SD-WAN Progression
By 2009, WAN networks needed to become more application, content-aware, and much more involved in the security posture of the organization. Applications thanks to the growth of the Internet became faster and more critical to the organization. Companies became nearly 100% dependent on applications running into the corporate data center and on the company’s Internet site for productivity, product delivery, and marketing. Legacy frame-relay solved the mesh connectivity issue, however, this topology did very little in traffic shaping, quality of service, or becoming security-aware of changing traffic patterns. Companies began to spend more money on caching technology, QoS applications, and traffic shaping tools to optimize their networks. While most of these technologies delivered some level of value for the cost, these components only compensated for the lack of evolution in the WAN architecture available.
Evolution of MPLS
With the rollout of MPLS (multi-protocol label switching), WAN networks offered high levels of traffic shaping, QoS, and the ability to make routing decisions based on the labeling or tagging of traffic. Multi-protocol Label Switching is a routing technique in telecommunications networks connected directly from one node to another based on labels, rather than network addresses.
With MPLS, organization WAN networks could tag specific traffic for a specific location within their network while restricting specific ports and protocols. This capability helped leave off unnecessary traffic while using the capacity for mission-critical applications. MPLS also allowed the organization to scale up capacity based on the need for a specific location or application. Along with greater application awareness, MPLS also re-routed traffic to a secondary location if a primary site went down. MPLS delivered traffic faster than previous frame relay networks. MPLS also functioned at layer 2 or layer 3 routing modes.
Creating Micro-Segments within VLAN
Once companies phased out their legacy frame relay with MPLS, companies now can meet their new challenges including replication of databases, delivery of video quality communications, and the need to deliver faster access from remote locations. IT departments began to see security as a critical next step in the WAN topology evolution. With the speed of data arriving faster than in previous topologies, IT personnel realized the need to organize the users in VLAN provided a much-needed security and network control layer. By segmenting users and systems into VLANS, network architects could leverage access control lists and firewall rules to prevent users from entering the secured areas within the corporate network.
Security architects continue to leverage the VLAN segment to isolate users and applications. While VLANs served the immediate requirement for segmentation, this new architecture did very little in providing protection within the containment zones. FBI continues to report that 87% of security breaches happen from within the organization. Organizations realized the finding in the FBI became all too real within their networks. Users were crossing into sensitive VLANs and accessing data outside of their permissions profile. The VLAN segment strategy in time became complex and unmanageable.
This challenging issue also affected WAN network connectivity. MPLS offered a level of segmentation both at layer 2 and layer3. However, this configuration often was very complex and challenging to maintain with frequent changes.
SD-WAN - A Next Step in the Introduction to WAN Security, Mesh, and Optimization
There have been significant changes in wide-area networks over the past few years, none more important than software-defined WAN or SD-WAN, which is changing how network pros think about optimizing the use of connectivity that is as varied as Multi-protocol Label Switching (MPLS), frame relay and even DSL.
SD-WAN uses a unified control system to securely and intelligently direct traffic across the WAN and directly to trusted SaaS and IaaS providers. This increases application performance and delivers a high-quality user experience.
SD-WAN model is designed to support applications hosted in on-premises data centers, public or private clouds, along with connectivity to SaaS services.
SD-WAN addresses current IT challenges. This fresh capability to network connectivity can lower operational costs and improve resource allocation for multi-site deployments. Network administrators can use capacity more efficiently and can help ensure high levels of performance for critical applications, including increasing security or data privacy.
Not the Perfect Solution
Though SD-WAN has many benefits, there are also key limitations. Extending the SD-WAN to the cloud requires installing an SD-WAN in or near the cloud provider’s data center, a complicated if not impossible task. Mobile users are ignored by SD-WAN. Managed microsegment and fluid changes to the WAN topology when security containment is needed, also is a challenge with SD-WAN deployments.
Complexity of Agent-based Micro-segmentation
Micro-segmentation provides greater capabilities by compartmentalizing applications, enabling service tiers, and applying specific workloads and policies within these protective zones.
Many embedded security functions within SD-WAN rely on Layer 3 network controls and don’t provide the robust cloud security functions required in a modern IT environment. Instead, many security solutions for SD-WAN-enabled appliances are only concerned with the speed of the applications less about traffic intelligence and security.
One of the primary benefits of micro-segmentation is it can apply security protocols to traffic that is already within your network, moving east-west between internal servers. The network segmentation approach is limited and focuses more on north-south traffic with little visibility into east, west traffic.
With micro-segmentation, the “impactful zones” of a breach can be limited to the zone that gets breached. Because all data gets inspected and filtered before it may exit the segment, lateral movement is blocked, leaving other applications unimpacted.
The primary advantage of micro-segmentation is to reduce the attack surface by minimizing the possibilities for lateral movement in the event of a security breach. With traditional networking technologies, this is very hard to accomplish.
Many micro-segmentation capabilities function well enough to provide the needed protection within the segment when ransomware, most of these deployments require a client agent along with complex policy-based routes. These complexities in setup and management also more often result in security breaches. Most security systems over time are misconfigured and often cannot stop and project attack surfaces. These attack surfaces become a launchpad for further attacks within the organization.
SD-WAN specifically does provide a level of network and access segmentation for assets in the data center and cloud. However, SD-WAN does not provide blocking of an outbreak within the segment itself. SD-WAN does not provide containment of ransomware within a VLAN or micro-segmentation area of the network.
Beyond the corporate networks: IOT/OT/ICS security and containment
Micro-segmentation also has a place within the client’s IoT/OT/ICS segments. Many hospitals, retail stores, industrial 4.0 factories, and robotic-driven warehouses also require micro-segmentation. These specialized devices run on a closed-loop operating system and network. Rarely do these control devices communicate with internal IT corporate systems. Most networking engineers will build out a physically different network for these specialized workloads. With the network enablement of these devices, these specialized units are moving rapidly to communicate with IoT cloud providers and 3rd party monitoring systems. With the increase in public connectivity, these devices do not have memory or platform space to load an agent for security and segmentation. Leveraging agentless micro-segmentation, the devices will compartmentalize by device type and business functional while containing any security breach within their respective containment zone. Agentless micro-segmentation also allows for segmentation of a flat network by leveraging the “secured ringfence zone” within the existing flat network for better containment and compartmentalization of the OT devices without the need to load an agent on the device.
Agentless approach to microsegment, containment, and compartmentalization of corporate assets and security outbreaks.
Despite an organization’s best attempts, sometimes human errors can cause a ransomware breach. Under the circumstances, most IT organizations resort to shutting down networking infrastructure in order to protect against ransomware, resulting in business productivity loss. In contrast, Airgap’s patented Ransomware Kill Switch™ is a surgical incident response to ransomware attacks and stops the spread of ransomware without loss of business productivity.
Agentless microsegment Airgap delivered this new and revolutionary strategy in a three-pronged approach:
Confining known and unknown threats
Ensuring allowed communication inside of an organization while monitoring all transactions for behavioral anomalies.
Enforcing multi-factor authenticated access for all high-value assets–regardless of a modern or legacy architecture.
Agentless segmentation by Airgap merged the compartmentalization strategy by supporting all cloud, SAAS, and internal network connectivity requirements under one system. The concept of a global proxy platform allows for universal and agentless policy routing and access control based on the user’s multi-factor authentication credentials. The user will only need to authenticate one-time into the Airgap management portal in order to all available policy routes. The user will restrict to their respective protection zone based on their credential permissions.
Airgap’s Zero Trust IsolationTM platform has been built by industry experts over the past three years. The patented solution can often be deployed within minutes, and most customers gain immediate benefit.
About Airgap Networks
Security experts know that network segmentation is the best defense against evolving cyber threats. However, available segmentation solutions either require agents to be installed everywhere or upgrade networking hardware with proprietary implementations. Airgap is the only vendor that offers agentless network segmentation and autonomous policy controls through a patented and innovative approach that enables isolation at every layer and down to every device. All this means malware is immediately blocked from traversing the network, even within the same VLAN or same subnet - unique protection not offered by any other solution.
Additionally, a typical organization takes hours or days to detect and respond to ransomware attacks and often resorts to a draconian approach of shutting down the entire network during a cyber event resulting in operational impact. Therefore, Airgap built a specialized ransomware kill switch that surgically stops ransomware propagation without operational impact.
Finally, enterprises often enable direct access to high-value assets over vulnerable protocols such as Windows RDP. Airgap’s identity-based access control provides strong Zero-Trust safeguards as the layer of protection to secure high-value assets against cyber threats.
Airgap’s patented solution is custom designed to reduce the enterprise attack surface and protect high-value assets in Manufacturing, Healthcare, Retail, and Critical Infrastructure verticals where a compromise of the core operational system can disrupt mission-critical processes. Airgap Security Platform is the easiest to implement and manage and it is currently deployed across many large multinational customers.