SD-WAN Makes An Excellent Segmentation Tool

The topic of segmentation is currently red hot.  Different vendors are using various terms such as micro, hyper and nano-segmentation.  Whatever the name, the goal is the same: to create private “zones” that can protect the things in the segment from things that reside in other ones.  In some ways segmentation flips the entire networking model.  The IP protocol was designed to let everything talk to everything, which is why the Internet works the way it does.  However, it also lets bad guys see everything inside a company network.  Segmentation works on the premise that nothing can see anything else unless explicitly allowed.

In actuality, network segmentation has been around for decades, and segments were created through the use of virtual LANs (VLANs) and access control lists (ACLs).  These technologies were very powerful but required hours and hours of manual programming and often had to be done on a device-by-device basis through a cryptic command line interface.  Even small changes to a network could take months to implement.  Also, IT is becoming increasingly dynamic and distributed so any new technology must support this shift.  Traditional networks were not agile whatsoever.

Segmentation: The Big Leap Forward

Segmentation these days is a big leap forward in networking, creating a model where a highly agile overlay network can be deployed and managed over the top of a physical network.  Segmentation allows organizations to create policies that put all IoT devices in one segment, or all guest users in a dedicated zone.  If a new IoT device is added or moved, the policy in the overlay stays attached to the endpoint and no reprogramming of the network is required.

Despite the power of segmentation, a gap currently exists in the market.  All previous segmentation tools have been focused at the data center where there has been an explosion in the amount of East-West traffic, and the gap I referred to is with respect to the wide area network (WAN).  There isn’t really a solution that extends the concept of segments across the WAN, but the need is just as great.

In a data center, historically all security was deployed in the core.  All traffic that went into a data center passed through the core and then came back out.  Hence the term “North-South” traffic.  As traffic patterns have shifted, deploying security in the core is no longer sufficient since all traffic does not pass through the core.

Similarly with a legacy WAN, all security was deployed in the central “hub”. Traffic flowed down the spokes and passed through the hub to ensure it was clean.  WAN traffic patterns have shifted as much — or more — than the data center due to the rise of cloud computing, collaboration, and mobility.  There’s far more direct-to-Internet and peer-to-peer, meaning the traffic no longer passes through the hub making it a security risk.

Enabling WAN-Based Segmentation

SD-WAN can enable WAN-based segmentation.  Most SD-WAN solutions operate as an overlay to the underlying physical topology, which makes it ideal to extend the concept of segmentation out of the data center and across the WAN and into branch offices.  A good example would be if a retailer created a guest network for its customers.  Anyone that signs on as a guest would be dropped into that particular overlay, and have access to basic services like Internet browsing, social media, and the store’s mobile application.  The store could use the same network for point-of-sale, inventory management, and other functions but would not have to worry that a breach of the point-of-sale network would spread laterally to the other systems.

There are literally hundreds of use cases across almost every vertical for SD-WAN based segmentation, including student networks at schools, IoT in healthcare, and fleet management and transportation.  Every organization has critical systems or endpoints that, if breached, would have a disastrous impact.  Segmentation ensures these critical assets are protected and hidden from the rest of the network.

SD-WAN can be a complete segmentation solution as it includes centralized control, policy-based networking, and granular visibility tools to help network managers understand what to segment.  It’s worth noting that the centralized control includes the setting and management of policies across all overlay networks, ensuring consistency of policy compliance.  This is one of the biggest strengths of SD-WAN compared to the manual, box-by-box nature of legacy networks.  Lastly, the automation capabilities ensure that as the environment changes, the zones and devices in them remain in place.

Segmentation is certainly gaining momentum as companies rethink their security strategies.  My advice is to move ahead with deployments but don’t forget about the WAN.  Leverage the flexibility and agility of an SD-WAN to protect the organizations more precious assets no matter where they might be located.

About the author
Zeus Kerravala
Zeus Kerravala
Zeus Kerravala is the founder and principal analyst with ZK Research. He provides a mix of tactical advice to help his clients in the current business climate and with long term strategic advice. Kerravala provides research and advice to the following constituents: End user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers.