In this article

Believed to have first appeared in the 12th century, bulkheads are inner walls within the hull of a ship. One of the key purposes of these inner walls is to segment the hull and contain flooding in the event of damage. Just as a ship's hull uses segmentation to protect from leaks, networks can use segmentation to protect against the spread of attacks.

To fully understand the capabilities of AGS, you must first understand this concept of network segmentation.

At its core, network segmentation is a security technique that divides a network into smaller distinct sub-networks. In essence, it's breaking the networks into zones that typically consist of multiple devices and the applications they host. This separation of zones can be achieved through Firewalls, Access Control Lists, or Virtual Local Area Networks (VLANs) that control how traffic flows between the different zones. This is beneficial since it allows network teams to deliver unique security controls and services to each sub-network, as well as, limits potential impact to just one zone.

AGS, on the other hand, takes more of a microsegmentation approach and utilizes a software-based solution that does not rely on underlying network or cloud infrastructure. Instead, AGS creates a software-based segmentation overlay that works across both on-prem data centers and cloud environments. With AGS, segmentation can be applied to devices but also to the applications that are running on these workstations.

AGS architecture

Diagram, schematic

Description automatically generated

The foundation of AGS is the centralized management server which can be deployed either on-prem or in a SaaS architecture. This server collects detailed information about an organization's IT infrastructure through a mix of aggregator servers, network based L4 data collectors and virtual private cloud (VPC) flow logs. As this information is streamed into the management server relevant context is added to the information through a flexible and automated labeling process.

The aggregator servers collect network logs from the agents, de-dupes and forwards it to the management server, and manages policy updates of individual agents. Aggregators provide Agent load balancing to enable global scaling of the solution.

The agent is a process-level, host-based firewall that is installed on servers to control East/West traffic and on endpoints to compliment the EDR solution. They receive control commands; report collected network logs and enforce segmentation policies provided by the Aggregator servers. AGS Agents support the industry's broadest variety of legacy and modern Windows and Linux Operating Systems and can be installed on Bare Metal, on-prem, containers or even servers in the cloud such as Azure, AWS and GCP.

The agent has four main functions:

  • Visibility: The first and most important function. This enables administrators to understand how systems are communicating with each other which in turn allows them to create effective segmentation policies
  • Enforcement: Since the agent is a process-level host-based firewall, it does the decision-making to either allow or block connections based on the policies applied.
  • Insight: This functionality allows administrators to query the agent for information like current patch level, critical vulnerabilities, is EDR installed, etc.
  • Deception: The last functionality is if the agent detects anomalous behavior, it can dynamically redirect the attacker to a Guardicore hosted honeypot.

How does Akamai Guardicore Segmentation (AGS) work?

Segmentation starts with deploying a lightweight agent on servers and endpoints that can be either on-prem or in the cloud. After the agents have been deployed, AGS will organically build a map of your network so you can visualize the environment.

After you have a visualization of the environment, the next step will be organizing the environment through the use of labels. Labels are metadata that stays with the asset and are used to organize the environment into logical groupings like geographical areas, business units, applications, roles, etc. These labels can be applied in several ways: manually, dynamically, machine-learned or integrated with a Configuration Management Database (CMDB) or cloud environment. These labels are very important as they organize systems and flows in a way that helps you see dependencies and they play a crucial step in creating enforcement policies.

Now that labels have been applied to workloads, the final step is to create enforcement policies that will create the segmentation. AGS uses a combination of full visibility and context-driven policy settings to create segmentation that disrupts the attack chain in the earliest phases. It should also be noted that these policies can be created using built-in templates or by manually creating a policy. An example of creating an enforcement policy would be using the "Ring Fence an Application" template to quickly allow-list inbound and outbound flows for a specific application in the environment. After you have created your enforcement policies your environment will now be segmented.

Key capabilities of AGS

Visibility: Map application dependencies and flows down to the user and process levels on a near real-time or historical basis. On top of this AGS also provides flexible labeling, customizable maps of your network, automated application discovery and integrations with existing CMDBs.

Fast Time to Policy: Flexible labeling and AI-powered segmentation allows the implementation of granular policies based on process, user identity and FQDN in a few clicks using templates.

Broad Platform Support: AGS covers both modern and legacy operating systems across bare-metal servers, virtual machines, containers, OT/IoT and cloud instances.

Flexible Asset Labeling: Ability to add rich context with an unrestricted labeling hierarchy and simple integration with orchestration tools and configuration management databases.

Security Focused: AGS's goal is not just to provide segmentation but to give organizations a better overall security posture. It achieves this by providing advanced security capabilities such as ransomware mitigation, threat intelligence firewall, network scan detection, incident response services, detection technology, etc.

Zero Trust

In recent years many organizations have begun to adopt the Zero Trust strategy which stemmed from the inherent weaknesses of assumed trust in the network. Zero Trust is an IT security framework that is meant to enable secure access to applications and services based on defined access control policies whether a user is inside or outside an organization's network. The big idea of Zero Trust is that nobody is trusted implicitly.

AGS helps organizations achieve Zero Trust by:

  • Reducing attack surface: Zero Trust mitigates the risks associated with the increase in attack surface caused by the adoption of cloud computing and remote working.
  • Limiting access to sensitive data: Zero Trust components positively authenticate and authorize users and their devices to reach approved applications and information.
  • Assessing risks continuously: Unlike legacy architectures, a Zero Trust solution can dynamically assess the security risk of users, devices, and services to mitigate risks that may occur post-authentication.

Through its software-based segmentation, AGS plays a huge factor in reducing an organization's attack surface. By defining micro-perimeters close to the data sources, AGS can prevent the east/west lateral movement that attackers rely on to spread throughout the network, effectively limiting the blast radius of a breach. Since AGS can put perimeters around both devices and applications, it is also able to limit access to your most sensitive data wherever it may be, since enforcement policies can ensure a secure connection between applications, devices, and the web.

Conclusion

Akamai Guardicore Segmentation is a software-based segmentation solution that provides simple, fast and intuitive ways to enforce Zero Trust principles in the network. Using a mix of agent-based sensors, network-based data collectors and virtual private cloud flow logs to map your network, this segmentation solution works across data centers, multicloud environments and endpoints to deliver a central UI of all an organization's assets and infrastructure. Through the use of precise segmentation policies, comprehensive visuals of activity within an IT network and network security alerts, Akamai Guardicore Segmentation enables you to prevent malicious lateral movement within your network.

Technologies