What is network microsegmentation?

Microsegmentation is a method of dividing a network into small, isolated areas (segments/zones) in order to restrict access to certain resources. In the context of network security, microsegmentation means that data traffic between different parts of the network is strictly controlled by perimeter firewalls with active services such as IDS to prevent the spread of threats internally as well.

Fine-tuning of communication from clients to the server:

Microsegmentation enables granular control over access to resources. You can define exactly which users or systems are allowed to access certain data or applications.

Although many companies use firewalls to secure the transition to the Internet, they forget that devices are now being carried past them every day by the company's employees. (in the truest sense of the word). The technical communication connections to the servers are often in the same network. Even in large organizations, there is often no separation between the individual servers.

Zone concept

Network architects plan communication tables that show which server application communicates with the user or with each other and how. In concrete terms, we are talking here about the minimum principle of communication. Each network zone that communicates with another network zone is routed through a firewall that examines the traffic (network traffic).

For example, an application server only needs to communicate with an MS SQL database server on port 1433. The connection is also always established one-way from the application server to the database server. It is therefore not necessary from a network architecture point of view to allow further connections between these two servers.

In this case, for example, two zones are created. Zone "DB" as the database server zone and "APP" as the application server zone. Now both VLANs in which the servers are located are separated by a perimeter firewall. Even at network level, this ensures that various attack scenarios outside of SQL-specific attacks are not possible between these two servers.

Where do you start?

Every company now has many business applications, often even more than 100. If network administrators now think about having to configure the firewalls and VLANs, one or the other will feel sick. Templates are the way to success!

Network architects must provide clear templates for their firewall admins so that they can use them as a guide. The approach of first configuring and then testing to find out whether it fits the way you want it is also not the right way. Misconfigurations are practically pre-programmed due to the sheer abundance of connections.

Progressing step by step is the path to success here. The example described above is already an extreme expansion stage of micro-segmentation. You can also start by zoning the following networks:

• Guests
• Clients
• Printer
• Telephones
• Server
• Storage
• IoT devices

If you secure each of these networks with the basic connections, you have already done a lot.

Attention, it is not enough to create VLANs and control access via access control lists. The Next Generation Firewall services, which control the "East-West" traffic, are an important component.

How far should you take it?

The clear message here is: the further, the more secure. However, classic firewall management will quickly reach its limits. Software-defined networking is used in the data center sector in particular.

How do I avoid misconfigurations?

The network microsegmentation process should also be viewed from an organizational perspective. We strongly recommend the use of a change management tool and an associated Change Advisory Board (CAB). If a new application is brought into the company, a solution architect should draw up a communication plan for this software. This will then be tipped in as a change. The CAB should then review it at least in a four-eyes principle. It is also important to review the configuration of the firewalls, servers and clients after the change has been implemented.

What does this mean for my IT staff?

The effort required for microsegmentation should not be underestimated. The additional security aspect eats up resources in all areas of the IT department. The use of DevOps concepts and Software Defined Networking (SDN) is essential with several hundred applications. This requires the classic firewall admin to be further qualified. We recommend getting to grips with SDN today so that people don't fall by the wayside.

What does microsegmentation mean from a cost perspective?

In addition to increased costs for configuration and monitoring, there are also license costs and computing power. Due to the high internal bandwidths available, controlling internal data traffic is much more cost-intensive than data traffic between the local network and the Internet. If you have more than 10 Gbit between your server clusters and clients, for example (which corresponds to a perfectly normal throughput volume internally), most firewalls already cost several thousand euros per year. If we go into larger networks with several hundred lines connected to the data centers, the license costs for the firewalls can quickly rise to between 500,000 and 1.2 million euros per year. The use of software firewalls such as PFSense can possibly reduce the costs, although the computing power of the underlying hosts must be carefully considered.

This is what it looks like for one of my customers (personal report).

At the beginning of 2023, my consulting team and I were commissioned by one of our customers to create a network segmentation concept to increase security, fulfill the guidelines of the BSI Compendium 2023 and achieve cloud readiness. The network had over 700 locations, 14 virtual layers, more than 50,000 end devices and 15,000 users. Not an easy task in this context. Where do you even start, the question arises? After almost 12 workshops with all kinds of IT managers, sometimes together in a room with 15 people, we gradually gained an overview. Our goal was to develop a template concept that could be used for each of the locations and for each application. An almost 100-page report and a "CEO-friendly" presentation were the result, which my team put together in six months of intensive work. We estimated that the microsegmentation for this network would take between 4 and 7 years to implement. I can only advise everyone: get started now.

Conclusion:

Microsegmentation is a discipline that professionalizes the work of IT across all areas. Companies have to reckon with significantly higher costs for network operations, as many new types of costs are added. In return, however, they also receive significantly more security against the various attack methods that hackers use today to steal one of our most expensive assets, our data.

Author: Manuel Wagner, CEO CosH Consulting GmbH, January 2024