Local network segmentation is a cybersecurity topic that is discussed too little. Microsegmentation may be perceived as technically too difficult to implement. On the other hand, as services move to the cloud, it may be felt that the organization no longer needs anything other than an internet connection, so why is it still important to talk about network microsegmentation? Above IT Oy’s ‘consigliere’ Matias Haapaniemi delved into this often overlooked topic in his latest blog. Read on!
When a firewall alone is no longer enough
Traditionally, corporate networks have been protected by a firewall at the network edge, which acts like a strong gate in a castle. It only allows permitted traffic in and out. But what happens if an adversary somehow gets inside the castle walls? Imagine a situation where an employee clicks on a phishing email link and accidentally installs malware on their computer. The attacker is now inside the network, behind the firewall. Without any internal restrictions, this malware can quickly spread throughout the entire local network. The situation is like an office building where only the front door is locked. Once inside, all rooms and spaces are freely accessible without any restrictions.
What is microsegmentation?
Layer 2 segmentation using VLANs
Network segmentation can be implemented at different levels. Layer 2 segmentation refers to segmentation at the data link layer, essentially isolating devices into their own local networks at the switch and MAC address level. Using VLANs (Virtual Local Area Networks), devices physically connected to the same switch can be logically divided into different network segments, as if they were on different switches. For example, all office printers can be placed in VLAN 10 and employees’ computers in VLAN 20. Even if they are physically connected to the same network device, they do not belong to the same “local network” and cannot directly communicate with each other without a firewall.
What types of VLANs should a company have?
It strongly depends on the organization, but these are a good starting point:
- Workstation network
- Server network
- Management network for IT services
- Guest network
- IoT device network
In Cisco Meraki networks, VLAN-based microsegmentation is best achieved with adaptive policies, which with their dynamic functionality take the architecture from traditional VLAN definitions to the next level.
ZTNA products as an aid to microsegmentation
Layer 2 segmentation (VLANs) provides a good “room division” within the internal network, but restricting user and device access based on personal and device identifiers is facilitated by Zero Trust Network Access (ZTNA) solutions. Think of ZTNA as an identity-based, encrypted overlay network, where traffic only flows when and where access is specifically granted. “Never trust, always verify” strongly describes ZTNA.
ZTNA products can abstract the local network from the whole and allow for more centralized and precise segmentation. A ZTNA rule might be “Allow Matias to connect to the HyperV server with RDP,” whereas a local network rule is “Allow 10.0.20.2 to connect to 10.0.10.3 IP address on port 3389.” In ZTNA products, IP addresses are not considered; it is entirely based on the identity of the user or device. ZTNA provides significant assistance in microsegmentation today, as a user’s network location can be: Starbucks, home office, lunch restaurant, office, and hotel all in the same day. With traditional solutions, it is difficult to create precise restrictions for devices, but with ZTNA, this is not even a challenge.
Do you need help or sparring on how your organization should approach microsegmentation or Zero Trust architecture in general? As a network expert partner specializing in Cisco Meraki environmental responsibility and a partner specializing in Microsoft’s security solutions, we have the support for your IT management solution needs. Contact us below and let’s talk more!