When automobiles first took to the streets over a century ago, they lacked safety belts, padded dashboards and turn signals. It wasn't until the 1930s that turn signals were introduced, and safety belts weren't mandated in the U.S. until 1984. Today, cars not only feature airbags, but also connected, computerized systems and sensors to keep passengers safe. Over time, the automotive industry created safer vehicles by advancing standards that are now regarded as both common sense and commonplace. The result: an estimated 300,000 lives saved in the past 40 years.
Should our networks really be any different? Constant technological evolution should be making networks both safer and faster; however, the pace of change and abilities of would-be hackers seem to run neck-in-neck. We don't have to wait decades to witness the next evolution of security threats. Today we have networking’s version of the modern car's safety cell – the Perimeter Firewall -- but we need more sophisticated systems to protect our data.
Is the traditional network the heart of problem?
Today’s networks do much more than ever before: support countless applications; provide users with anywhere, anytime BYOD access, connect a myriad of IoT devices. Traditional, hierarchical, client-server architecture is simply not built to support these needs and protect against the dramatic, increased risk of exposure inherent in them. Network segmentation that requires individually configuring nodes on a hop-by-hop basis creates more issues as more nodes added.. IP hopping, which sends traffic between nodes until the traffic reaches its ultimate destination, is an indirect path akin to flying from New York to Los Angeles with stops in Chicago, Denver, and San Francisco. Each hop - or stop - increases the potential for security breaches along the way. The manner in which nodes are configured today makes it possible for someone who obtains physical access to the infrastructure to discover the rest of the network via its IP addresses.
The basic principle of IP reachability can also be the means by which hackers progress an attack throughout the network. By default, nodes will communicate with each other despite enabling more complex firewall policies and access control lists on each node. Further, the potential for human error increases every time the communication flow needs to be managed and more configuration changes need to be made.
How a new kind of network segmentation can stymie hackers
Enter a new approach to network segmentation: Hyper-segmentation. Instead of node-based IP Routing, hyper-segmentation uses IP Shortcut combined with Ethernet Switch Paths (ESP). Now, flying from New York to Los Angeles becomes a direct flight, and much like a direct flight, hyper-segmentation is safer because there are fewer points for the traffic to touch. Hyper-segmentatin doesn’t use IP addresses to route/switch applications flows, so at best, hackers can only see the entry and exit point of the network. Since they can’t see everything in between, you now have a stealth mode for the network that makes the core invisible.
If you look at some high-profile attacks, hackers gained entry to systems through an unrelated entry point and wreaked havoc using IP hopping. For example, at U.S. retailer, Target, hackers gained entry through an insecure HVAC system and subsequently, visibility to the topology of the entire network – right to where the company stored customer credit card information.
The risk of a single network is so well known that the Nevada Gaming Control Board regulates the network architecture of casinos, typically requiring separate VLANs for different categories of services such as surveillance, point of sale, back of house, slot machines, telephony, and guest services, unless the casino gets prior approval. IP address hopping is recognized as being that much of a problem.
Hyper-segmentation reduces risk and enables network consolidation
Here's a bold statement: It sounds counterintuitive, but that’s what can happen with hyper-segmentation: complete isolation between a virtually unlimited number of network segments. HVAC, surveillance, accounting, telephony, guest Wi-Fi, and other departments and even companies can all coexist on a single physical network without putting each other at risk. Hyper-segmentation reduces capital expenditures by reducing firewalls, as well the operational burden of maintaining complex access control lists.
It works so well that the Downtown Grand Hotel and Casino in Las Vegas became the first casino in the United States to gain approval from the Nevada Gaming Control Board to run a fully converged network. Using Avaya Ethernet Switches, Fabric Connect, the Identity Engines access management solution, and Aura Session Border Control, the Downtown Grand was able to build a single, secure, hyper-segmented network for all its applications and services.
Much like the sensors on vehicles today that automatically deploy airbags or engage four-wheel drive in a snowstorm, hyper-segmentation delivers much-needed safety to the networks.
Isn't it time to bring our network security to the next level?