Share Via
There is no tougher job for IT professionals today than securing the campus network. Once upon a time, the Local Area Network (LAN) and campus were considered one of the easier problems for IT security pros to handle. However, times have changed, both in terms of the type of threats and the attack surface that intruders are targeting. They look for weak links that allow them to move easily throughout an environment.
As a result, existing network segmentation approaches often rely on switches built around VLANs, ACLs, and Network Access Control (NAC) that fail to stop lateral movement within the campus network. This same model also uses firewalls that never see east/west traffic and also fail to help protect against lateral movement against today’s growing attacks. It’s a losing battle.
The good news is that modern network security and zero trust principles that leverage per-host isolation to create a “segment of one” for every device can help address these challenges. While attending this year’s RSA event in San Francisco, it became apparent that a short primer on how Nile can help was needed.
Why is isolation or a “segment of one” important?
Typically, an enterprise may have one VLAN for employees, one for guests, and one for IoT/OT devices. Any user or device within a VLAN is basically on a shared segment, which is a problem. Customers often then look to NAC solutions in an attempt to leverage user roles during the authentication process to create policies that dictate what a user or device can access. Sounds logical, right?
The issue is that even though a user or IoT device is treated as a single entity via the policy, they’re still connected to that legacy VLAN technology. It’s important to understand that simply adding more VLANs and using ACLs and NAC will not prevent one compromised device from possibly impacting others. It’s very difficult to prevent an attacker or their threat from laterally moving throughout a shared environment using this legacy model.
With the rise of the hybrid workforce, every user that connects outside of the campus can become compromised, then infect others when they return and join the campus network once again. This has obvious implications for network vulnerability and attack vectors. The lack of security available for IoT/OT devices is another issue that amplifies the problem.
So, what is a segment of one?
It’s clear that something desperately needs to change. From my perspective, IT security organizations today need a new means to easily fulfill the critical design flaw I just outlined. It is important to eliminate and/or reduce an organization’s attack surface by isolating users and devices from one another.
In essence, a segment of one is a network with only one device that has its own security controls within a larger network. It is a technique that involves dividing a network into individual domains (or private networks) by eliminating the use of VLANs and their inherent shortcomings. While users and devices may be in the same group or role when they are connected to the network, when they start communicating, they are completely isolated. Their traffic is not directly seen by one another. Instead, their traffic is sent to a policy engine that applies security controls before allowing any communication.
This segmentation model is well understood within the data center and other high-priority environments, but too often, the means of implementing these policies have been overly complex for a campus or branch LAN environment.
In conjunction with VLANs, NAC is often used to plug these holes. The result is enterprises leaning on technology that is outdated, complex, and does not fully align with zero trust principles. NAC does not perform continuous authentication and authorization functions, requires complex integration efforts, and is challenging to manage and operate. Together, these current techniques do not deliver on the promise of “segment of one,” and the complexity makes it nearly impossible to achieve any granular or scaleable form of segmentation.
In fact, I recently spoke with a Nile customer who had spent 5600 hours attempting to achieve total device isolation and was still unable to achieve their goal! Based on an eight-hour workday, that’s almost two full years of work that they are not getting back!
How do Nile and a segment of one help?
While at RSA this year, it was clear that there was a misunderstanding of what the network should provide in terms of security. Companies are still selling bolted-on NAC solutions, and software and gateways that promise to help with eliminating lateral movement. It is my belief that the network should offer a secure foundation to combat attacks, prevent the lateral movement of malware, and work in concert with many of the value-add software solutions that I saw on the exhibit floor this year. Zero trust principles should be built into the network, not bolted on.
In Nile’s Access Service, we’ve built in complete device and user isolation by default. In essence, a segment of one for each user and device. This approach eliminates the lateral movement of malware. This is distinct from legacy solutions that allow open communication between VLANs, groups, and individual users.
In addition, we utilize the mutual authentication of devices to ensure that Nile service elements are only talking to other Nile service elements. And, built-in hardware is used to encrypt all traffic.
In fact, what works for employees and IoT devices also applies to guest users. The Nile Guest Service isolates every guest device from each other and from the enterprise network so that guests cannot propagate malware to other guests, nor can they access any internal resources.
We also share user and data context with leading security solutions via APIs, which enables our customers to further define their policies as needed. Although the out-of-band model used by legacy NAC solutions is no longer sufficient, we do support their use. Like Nile, Gartner Inc. has noted that NAC may be long in the tooth in their paper from March 2022 titled “Campus Network Security and NAC are Ripe for Market Disruption.”
Together, Nile’s security and isolation of devices and traffic delivers a modern approach to network security that successfully mitigates threats without requiring installing and managing individual agents on devices, layering on new security solutions to plug holes to eliminate lateral movement. At the same time, Nile is dramatically reducing the operational burden on IT while still enabling high-performing connectivity.
We believe this modern approach – making all users and IoT devices a “segment of one” – will be critical in enabling IT to successfully navigate the new realities of today’s campus landscape. The competing demands on their time, combined with the ever-evolving nature of today’s threat landscape, means that this architectural transition is long overdue.
Other useful topics:
