One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1360595 |
| Date de publication | 2019-09-25 13:00:00 (vue: 2019-09-25 15:06:46) |
| Titre | Undivided we fall: decoupling network segmentation from micro-segmentation in the software defined perimeter |
| Texte |
Introduction
As of today, no laws or regulations, even the latest version of PCI-DSS, HIPAA, and HITECH, do not make network segmentation or micro-segmentation compulsory to comply with the rule. By making network segmentation discretionary -- even when transmitting, processing, or storing regulated data, the number of breaches will continue to rise as companies err on the side of doing less with more.
The purpose of this article is not to explain the contemporary need of network segmentation and micro-segmentation. Instead, it attempts to clarify the antithetical distinction between the two to reframe the widely used narrative that the two concepts are one and the same.
History
In March of 2017, I wrote my first article on network segmentation titled A Project Management Approach to Designing, Implementing, and Operationalizing Network Isolation and Micro-Segmentation. Over the last two years, since that article was published, flat networks still seem to be a problem endemic to every industry. Even entities operating in regulated environments, such as the payment card industry (PCI) or in healthcare where we’ve seen connected biomedical devices accessible from a hospital’s guest wireless network.
Similarly, as of PCI-DSS version 3.2, network segmentation is still not compulsory to comply with PCI for merchants. However, if network segmentation is not implemented, it brings the entire network into scope of the PCI assessment, which can add significant time and costs to the entity for passing its annual QSA audit to earn its report on compliance (ROC).
While it’s widely understood what network segmentation is, the concept of micro-segmentation seems to keep becoming conflated with network segmentation when in fact they describe two completely separate concepts that can be mutually exclusive; meaning, you can have both network segmentation and micro-segmentation - so they are not one and the same. I present examples of separate implementations of why conflating the two concepts can be costly or introduce pivoting potentials in a breach, especially in conflict areas when connecting forward operating bases (FOBs) to classified networks,
What is network segmentation?
Figure 1. Segmentation versus Micro-Segmentation.
Source: Alissa Knight
Network segmentation can be easily described as taking one large flat network and using firewall rules or VLAN access control lists (VACLs), define rules that permit or deny the directionality of traffic between hosts.
What is micro-segmentation?
Micro-segmentation is the concept of network segmentation but at a much more diminutive scale where nodes within the same VLAN are isolated into a sort-of enclave. Micro-segmentation is akin to a client VPN where two hosts communicate with one another and the rest of the hosts within the same network are unable to talk to or see those hosts. When network segmentation is implemented, the default route of the VLAN is set to a firewall or VACLs are used to control what hosts they can communicate with outside the VLAN. With micro-segmentation, isolation of hosts can happen between hosts in different VLANs or in an enclave within the same VLAN.
The business case for micro-segmentation
Your first question might be when micro-segmentation should be applied and what the business case is for such a scenario. Here, I provide t |
| Envoyé | Oui |
| Condensat | even segmentation when 2017 4g/lte ability able access accessible activities add additional administrator agent akin all allowing alongside also annual another antithetical any applied approach are area areas around article as tecore assessment assets attempts audit audits available base bases become becoming been behind being between beyond biomedical both box breach breaches brings business but called can capabilities capable card cards case category cause certified clarify classification classified client cloud coi cois communicate community companies company completely compliance comply compromised compulsory concept concepts conflated conflating conflict connected connecting connectivity considered constructed contemporary continue control corporate costly costs create created credit darkens data decoupling default define defined deny deploys describe described designing devices different diminutive directionality discretionary disparate distinction does doing done dss each earn easily eliminate employee employees enclave endemic entire entities entity environments err especially establish etc even every examples exclusive; explain extends fabric fact fall: far figure firewall first flat fob fobs forces forward framework from granular ground guest happen hardware has have healthcare here hipaa history hitech hospital’s host hosts hours house however hypervisor hypervisor's implement implementations implemented implementing incorporates industry information installed instead interest introduce introduction ipsec isolated isolation it’s its just jwics keep knight large last latest laws layer less level levels leveraging limiting lists machines made make makes making management manufacture march matter meaning merchants micro might more much multi must mutually narrative necessary need network networks networks provide new nib nibs niprnet nodes not now number old one operating operation operationalizing other otherwise out outside over particular passing payment pci per perform performing perimeter permit pivoting possible potentials premise present prevents problem process processes processing product products protect provide providers published purpose qsa question reached really refers reframe regulated regulations removing report requirement rest result rise roc route rule rules running same satellite scale scenario scenarios scope sdp security see seem seems seen segmentation segmented sense separate servers service set several should side significant similarly since single siprnet sits sitting software solution solutions some sort source: alissa stack states stealth stores storing such summary supports switch system systems taking talk talking these those though thousands three through time titled a project today traditional traffic transactions transmits transmitting trust tunnel two unable understood undivided unisys united used user using vacls vendors version versus virtual vlan vlans vpn ways we’ve what when where which why widely will wireless within workstations world would wouldn’t wrote year years your zero zts |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.