What is Network Segmentation?
In a traditional, flat network, all of the network attached devices are on the same local area network (LAN). Through software (virtually) or physical separation, network segmentation creates multiple subnets or segments. Each segment contains a subset of the network devices. The network segmentation management software monitors and controls the communication between the segments.
What are the Benefits?
- Improved Security: network traffic can be isolated, filtered and/or prevented access between network segments
- Access Control: allow users to only access specific network resources
- Activity Monitoring: opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior
- Improved Performance: with fewer hosts per segment, local traffic is minimized
- Containment: when a network issue occurs, its effect is limited to a specific segment
- Limited Visibility: malicious actors, internal or external, can only see network assets contained on their segment; if they cannot see it they cannot attack it
Network Segmentation: A Use Case
Let’s look at how a network segmentation management software can be used to reduce the impact of unauthorized access to an organization’s data network by enabling network segmentation through the deployment of the Cisco Identity Service Engine (ISE). Divurgent recently completed this work for a major, not-for-profit health system geographically dispersed across the Eastern United States with an annual $3B+ revenue:
Scope: deploy ISE on all data network management devices in the enterprise.
Objectives:
- Upgrade network management devices as needed to support use of the Cisco ISE technology
- Develop and implement processes and procedures to support the ISE environment
- Define a strategy and architecture to expand the number of network segments
Deliverables
- ISE monitors and controls all access to the organization’s data network
- ISE deployment by the numbers:
- Over 500 network switches were upgraded
- ISE was deployed on over 1,700 network switches
- Over 27,000 devices were authorized through ISE for access to the data network
- Over 56,000 wired ports are being managed through the ISE technology
- ISE support processes were defined and implemented
- An architecture for expanding the number of segmentations was defined
Following the deployment, multiple segments were defined and planned for future implementation.