How network segmentation strategies work with SD-WAN

Software-defined WANs (SD-WANs) have sparked a renewed interest in network segmentation and security. All major SD-WAN vendors offer some form of network segmentation in their products and tout the technology as a solution for security and path isolation.

The right network segmentation strategy requires an enterprise to have a good understanding of their systems and goals. While SD-WAN vendors have their own definitions of network segmentation, no single vendor has a comprehensive segmentation strategy that fully addresses your enterprise's segmentation needs. There are countless segmentation considerations you may need to consider – from authentication and authorization to managing security roles and policies, you have to dig deep.

Traditional segmentation technology is cumbersome

Traditionally, when network teams perform network segmentation, they use a variety of tools to create path isolation in different processes. You often see various tag routing schemes or virtualized routing instances, as well as security access control lists (ACLs). Almost all methods operate somewhere in the range of Layer 2 to Layer 4 networks, and most methods are cumbersome and labor-intensive to deploy and manage.

In the past, isolation did not rely on identity; it was based on location based on IP addresses. This approach worked in the past when one machine ran one service or one user sat in front of one endpoint device, but those days are over. Now, we have multiple services on one endpoint, and services can be moved or scaled dynamically to handle a variety of situations. Strict isolation based on IP addresses is no longer sufficient or scalable.

Security was once simple – based on identity or location, and managed by ACLs, which quickly became cumbersome – even at low volumes. Enforcing computer and application security was no better. Tracking who should have access to what became an exercise in futility, and mistakes in prioritizing secure access were common. This is where new segmentation approaches come in.

Network Segmentation and SD-WAN

At its core, network segmentation is designed to prevent processes from traversing laterally across a network. In other words, there's no reason for a user's instance of a word processor to access a database on another user's system. Likewise, there's no reason for a front-end system accessing a single database to communicate with other systems in the network. A good segmentation strategy isolates a process to only the components and systems it needs to access.

The difficulty enterprises face when it comes to network segmentation strategies is how to choose among the various segmentation tools provided by SD-WAN vendors. Some vendors take a network-centric approach, relying on path isolation and segmentation at Layer 3 and Layer 4. Some take an application-centric approach, relying on Layer 7 networks; others use multiple technologies for segmentation at different network layers. However, all practices have the same goal, which is to establish a security barrier between system and user processes.

Security breaches are now commonplace and occur with alarming frequency. Therefore, security controls should be the most important concern when selecting any SD-WAN product. It is not enough to simply segment the network statically. A good SD-WAN platform must audit and respond to security incidents in near real-time while mitigating any damage caused by a data breach.

Other important enterprise segmentation capabilities include:

• Automated deployment;
• Support path isolation;
• Access and authorization policies—Ideally, use a dedicated secrets vault.

If you need to migrate a traditional non-segmented network to a highly segmented network, you need to have a deep understanding and solid knowledge of business requirements. Segmenting for the sake of trying new things is not a good reason to deploy a segmentation strategy. No vendor provides a complete network segmentation strategy, and enterprise network teams can only choose the right products to complete network segmentation by understanding their current network and why they need to segment it.