Network Segmentation: A Critical Component for Any Information Security Program

by David Stone

What is Network Segmentation?

In a traditional, flat network, all of the network attached devices are on the same local area network (LAN). Through software (virtually) or physical separation, network segmentation creates multiple subnets or segments. Each segment contains a subset of the network devices. The network segmentation management software monitors and controls the communication between the segments.

What are the Benefits?

  • Improved Security: network traffic can be isolated, filtered and/or prevented access between network segments
  • Access Control: allow users to only access specific network resources
  • Activity Monitoring: opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior
  • Improved Performance: with fewer hosts per segment, local traffic is minimized
  • Containment: when a network issue occurs, its effect is limited to a specific segment
  • Limited Visibility: malicious actors, internal or external, can only see network assets contained on their segment; if they cannot see it they cannot attack it

Network Segmentation: A Use Case

Let’s look at how a network segmentation management software can be used to reduce the impact of unauthorized access to an organization’s data network by enabling network segmentation through the deployment of the Cisco Identity Service Engine (ISE). Divurgent recently completed this work for a major, not-for-profit health system geographically dispersed across the Eastern United States with an annual $3B+ revenue:

Scope: deploy ISE on all data network management devices in the enterprise.

Objectives:

  • Upgrade network management devices as needed to support use of the Cisco ISE technology
  • Develop and implement processes and procedures to support the ISE environment
  • Define a strategy and architecture to expand the number of network segments

Deliverables

  • ISE monitors and controls all access to the organization’s data network
  • ISE deployment by the numbers:
    • Over 500 network switches were upgraded
    • ISE was deployed on over 1,700 network switches
    • Over 27,000 devices were authorized through ISE for access to the data network
    • Over 56,000 wired ports are being managed through the ISE technology
    • ISE support processes were defined and implemented
    • An architecture for expanding the number of segmentations was defined

 

Following  the deployment, multiple segments were defined and planned for future implementation. To learn more about this project and Divurgent’s capabilities in this space, feel free to email me at David.stone@divurgent.com or visit www.divurgent.com/services/identity-service-engine.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.