SD-WAN Segmentation: What Are My Options?
In this article
A Google search of "SD-WAN Segmentation" returns over half a million hits on the subject. Every solution on the market has an answer to segmentation, but that answer can be different based on the vendor(s) you are evaluating. The reason for the difference is that there is a lack of standardization in the SD-WAN market, both in terminology and technologies used.
The most important thing is being able to recognize the capabilities available in a solution and determine how they map to your organization's security posture.
In the vein of "Myth Busting" we will explore why we need segmentation, segmentation options available in SD-WAN and provide some considerations when selecting the right solution for your business.
Consider a farm that is home to fields and livestock. On that farm there is no fence for the cows, no coop for the chickens and fields are a mix of corn and soybeans. Each animal and each crop requires different care and feeding as well as protection from each other. Such a farm would require constant oversight, a high-touch level of care and could be very susceptible to outbreaks. Global routing tables, complex access control lists and limited insight on device interactions lead to a similar set of problems on our enterprise networks.
Farm life without segmentation is chaos.
Agriculture has long since applied the principles of segmentation, grouping livestock and crops based on their resource requirements and needs. This allows farmers to scale more effectively as they can provide better oversight, care and feeding, and disease control on their farm. Just as developers have learned from farming (pets vs. cattle) so should enterprise network engineers. The same methodologies can be applied to ensure our networks have proper oversight, are well maintained and are protected from malicious behavior.
A well-ordered farm with segmentation.
SD-WAN segmentation options
SD-WAN segmentation options are not new, they are based on proven technologies and are commonly found in most enterprise and service provider networks. The options available in SD-WAN support two key concepts used in segmentation:
- Path Isolation
- Security Controls
Just as the farmer corrals the livestock and curates the fields (Path Isolation) so does the farmer provide the proper care and feeding to each by ensuring only the required resources are accessed (Security Controls). In networking we draw our distinctions using the Open Systems Interconnect (OSI) model. Path Isolation in the context of SD-WAN will occur at the Network Layer (Layer 3) and is often paired with technologies in the Data Link Layer (Layer 2). Security Controls generally provide permit or deny policy actions based on traffic attributes that are associated with the Network Layer (Layer 3), Transport Layer (Layer 4), Application Layer (Layer 7), or any combination of the three preceding layers.
Terms associated with Path Isolation include Virtual Routing & Forwarding (VRF) and Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN). These two technologies allow network engineers to create separate routing domains and place users and devices into domains based on their access needs and/or security requirements. An example of this would be providing path isolation for Point of Sale (POS) devices at a retail store. This means users residing in other parts of the network (e.g. accounting, sales, corporate) would not have direct access to the POS network and vice versa.
Security Controls can achieve similar results as Path Isolation, but it is being enforced at the policy level and could still allow unintended lateral movement in the network if not setup correctly. The methods available in SD-WAN include Access Control List (ACL), Zone Based Firewall (ZBFW), or Application Firewall. Policy can be crafted to provide more granular control over device interactions on your network. For example, the POS device should only be able to access a specific set of services (e.g. HTTPS, DNS) from a limited set of hosts (e.g. 203.0.113.0/24). This type of policy further restricts access to/from POS devices on a network.
Differences between Path Isolation and Security Controls.
Full functionality and availability of these segmentation methods are critical for an organization's ability to maintain or achieve a comprehensive security posture on their network. And it is critical to realize that SD-WAN solutions may implement none, some, all, or variants of the technologies described above.
In today's world, where breaches are common, security should be front of mind when selecting and integrating a solution into your enterprise network. The technologies that your organization configures and deploys on your current infrastructure are essential to maintaining your organization's security posture. When selecting an SD-WAN solution, at a minimum, its capabilities should be able to achieve the intent of your security policy. However; the cyber threats that face our networks today require use to always move the needle forward when it comes to security. The right SD-WAN solution, when it comes to segmentation, should have:
- Automated deployment of segmentation configuration
- Support path isolation
- Provide robust security controls
- Ability to audit configurations for accuracy and consistency
- Receive alerts on policy violations and provide intuitive monitoring
While some or all of these may resonate with your organization, an important first step to finding the right SD-WAN solution is writing down your security requirements. Anything you can achieve today, with existing infrastructure, should be available in some capacity on SD-WAN. If not, there may be alternative method for getting the desired result, but warrants further investigation as the alternative might represent too much of a departure from existing methods.
Many enterprises are on a similar journey to deploy SD-WAN in their environment. Additionally, these enterprises are exploring Enterprise Segmentation strategies. Finding an SD-WAN solution that can deliver on security initiatives is critical to facing today's cyber threats.
Having a common understanding of why we segment is an important first step to evaluating the capabilities of an SD-WAN solution. Path Isolation helps us corral our traffic while Security Controls focus on permitting or denying traffic based on specific matching criteria.
Recognizing that separation and enforcement are different but equally important aspects of segmentation, helps us understand why we need an SD-WAN solution that can deploy both. These segmentation techniques are complimentary and help us further realize our security goals.
Having a short list of items that are critical to your organization's segmentation story is an important tool when evaluating SD-WAN solutions. Finding the right SD-WAN solution can be challenging, but asking the right questions can shorten your search.
Feel free to connect with me if you have any questions. SD-WAN is what I do, and I'm always happy to share what I know!