Network segmentation is the process of dividing a network into smaller, more manageable pieces (segments) to improve its security posture. Network segmentation creates secure zones (subnetworks or subnets) within your larger network to help mitigate the impact of a security breach. By breaking the network into smaller pieces, you limit the spread of malicious events and activities within the contained segment and provide additional protections for insecure devices.
Modern networks facilitate essential operations, communication, and data transfer. And networks continue to get more complex, growing in scope with more services, more devices, more locations, and a more mobile workforce. Administrators have to constantly improve security standards, controlling what happens, where, on the network—while also being able to monitor and understand it all.
Benefits of network segmentation
Network segmentation is a critical piece of an overall cybersecurity / network security model. It's used to help you:
- Improve your security posture. Network segmentation improves the security posture of an organization by limiting the potential attack surface. By dividing the network into smaller segments, businesses can control access to different areas of the network and limit the exposure of sensitive data.
- Mitigate risk. Network segmentation helps businesses mitigate the risks associated with data breaches and malware. If a breach occurs in one segment of the network, it will not impact other segments, thereby reducing the overall risk of data loss.
- Meet compliance requirements. It's crucial to industry standards such as PCI DSS, HIPAA, and GDPR. These standards require strict control over storage and access to sensitive data.
How does network segmentation work?
You can accomplish network segmentation through the use of firewalls, ACLs (Access Control Lists), and VLANs (Virtual Local Area Networks). Your approach depends on how you break down your datacenter and networked infrastructure into subnetworks: physical vs. virtual (logical).
Physical segmentation works exactly how it sounds—you use physical hardware (firewalls, routers, etc) to divide your network. Oftentimes, the location of your networked infrastructure becomes a segment.
Virtual (logical) segmentation uses software to define the segment. This approach can be easier, since you aren't limited by access to physical devices and can build virtual networks or use ACLs to separate networked devices.
Is this the same as microsegmentation?
Not exactly. Network segmentation and microsegmentation are very similar in approach, but differ in capability and execution. While network segmentation relies on a single constraint to govern access (for example, physical location), microsegmentation goes a bit further, isolating each device or application into its own segment. For organizations looking to adhere to a zero-trust architecture approach, microsegmentation is essential. Since you separate each entity from all others, access and traffic must be explicitly granted, regardless of whether it originated within the same segmented network.
Think of your network as a city block, full of apartment buildings. Each building has a locked front door and only the people living there have the code, so you trust them with access to the building itself. That's a segment on your network. Microsegmentation is each locked apartment. You trust entities with access to the building, but not the apartment. So, only the owner of each apartment, or microsegment, has the ability to enter—or grant entry—to their apartment.
How to segment your network
The typical steps in segmenting networks include:
1. Identify critical assets. The first step is to identify the critical assets on your network that need protection. These could include sensitive data, critical applications, and components that control network access.
2. Map your network. Once you've defined your critical assets, map the network to identify the different segments or subnets that need to exist. This includes physical network devices such as routers, switches, and firewalls.
3. Define access policies. Now that you know your assets and have laid out the segmentation approach, you need to configure firewalls, access controls, and other security measures to define what gets access to each segment.
4. Implement security controls. Here's where you bring it all online. You're ready to implement your security policies and controls. From here, you'll also set up intrusion detection systems and other measures to protect each network segment.
5. Monitor and adapt. Network segmentation isn't a "set it and forget it" process. You'll need to continuously monitor the network to ensure it acts as expected and remains secure. Regular security audits and vulnerability assessments are also essential to the ongoing health and efficacy of your network segmentation project.
Industry use cases
Different industries have very similar issues where segmentation can help—whether it's devices with insufficient security protections or which hold sensitive data (or both). Creating a microsegment for each of these devices, or for all of a type of device, to protect them is critical to keeping them safe. The microsegmentation becomes a compensating control for devices with limited protections.
- Healthcare. There has been a recent proliferation in network-connected medical devices. Devices include radiology modalities, lab analyzers, blood glucose meters, IV pumps, patient monitors, or nurse call systems, just to name a few. These devices often use outdated security practices—making them vulnerable. In many cases, you won't be able to deploy the usual endpoint protections, such as anti-malware and anti-virus software. And the criticality of these devices make them likely targets for cyberattacks. Bad actors know they contain valuable patient data. In extreme cases disruption of patient care is a concern.
- Manufacturing. As production lines grow in complexity, with more automation and speed, the number of network-connected monitoring devices also grows. In many cases, these devices sit alongside older devices that are running on outdated, unsecure operating systems. Oftentimes, we measure downtime in lost revenue.
- Retail. Internal systems, including point-of-sale systems, manage card holder data (CHD). Segmenting or microsegmenting these systems is necessary to comply with PCI requirements.
Controlling what these devices can communicate with—and what can communicate with the devices—reduces the risk of malicious software or people from accessing them. Furthermore, you limit attack spread in cases of a compromised device.
How OpenNMS can help
Your job doesn't end at building a segmented network. You're need to be able to monitor these segments, find issues, and continue to adapt as your environment changes. But, an outside-in approach to monitoring (where your monitoring system connects to, and monitors, from outside of the segment) creates holes in your security—the very thing you were limiting by implementing network segmentation. OpenNMS is able to collect relevant data from within the segment itself, an inside-out view, through the use of OpenNMS Appliance.
What's an Appliance?
OpenNMS Appliance is physical hardware, or virtual machines, that reliably and securely collect network monitoring data from hard-to-access areas of your infrastructure.
Appliances are the network monitoring data collectors for OpenNMS. They run lightweight services that enable OpenNMS to communicate with devices and services on your network. By deploying Appliances, you also gain better control and management capabilities.
Appliances let you:
- Configure your entire fleet of Appliances in one action.
- Define groups of Appliances and apply batch configurations to specific groups, as needed.
- Schedule or automate updates for your Appliances—ensuring they have the latest bug and security fixes.
- Keep your fleet of Appliances in sync with the core OpenNMS platform. This guarantees monitoring data continuity through updates.
How Appliance works with segmentation
OpenNMS Appliance fits best in this model through network overlays—a virtual layer, or abstraction, that sits over your network. Within network segmentation, a network overlay is part of the logical approach to defining segments, with VLANs playing a prominent role as your overlay. Add an Appliance to specific segments to provide a secure way to monitor the segment from inside, rather than permitting external monitoring a view into the segment.
Let's say you're a network engineer at a hospital. Some of the devices on the hospital network include MRI machines. So, you place all of the MRIs into a segment. Now, you could externally monitor the health of these devices, increasing the risk of the devices being compromised due to more opening in your firewall, for example. Or, you use OpenNMS Appliance, placed as part of the segment, without any outside connections needed to monitor the devices. The Appliance talks out to your central OpenNMS Meridian network monitoring platform, but no communication into the Appliance is necessary.
You get the data you need, without unnecessarily exposing sensitive equipment to attacks.
OpenNMS Appliance can be quickly integrated into your existing network infrastructure—deploying Appliance hardware or deploying a virtual Appliance. The Meridian platform supports various network protocols and standards, including SNMP, NetFlow, sFlow, IPFIX, and more.
Additionally, OpenNMS offers numerous integrations with third-party applications and services, such as Grafana, Elasticsearch, and Slack, providing additional functionality and enhancing overall network management capabilities.
Enhance network segment visibility
OpenNMS offers several tools and features designed to improve network segment visibility, including:
- Discovery and provisioning. OpenNMS can automatically discover network devices, allowing for a complete and up-to-date inventory. This process can be customized to match specific network segments, ensuring you discover and monitor relevant devices.
- Performance monitoring. OpenNMS provides detailed performance data for network devices, including bandwidth usage, latency, and packet loss. This information allows administrators to quickly identify potential bottlenecks or issues within network segments.
- Alerts and notifications. The platform offers a customizable alerting system, enabling administrators to set thresholds and receive notifications when issues arise. This feature allows for rapid identification and resolution of network segment problems.
- Visualization tools. OpenNMS includes various visualization tools, such as topology maps, geographical maps, and customizable dashboards. These tools provide administrators with an easy-to-understand visual representation of their network segments, improving overall visibility and facilitating quick decision-making.
- Log and event management. The platform collects and stores logs and events from network devices, allowing administrators to review historical data and identify trends or recurring issues within network segments.
Enhanced network segment visibility is crucial for maintaining an efficient and reliable network infrastructure. OpenNMS Appliance offers a comprehensive solution for managing and monitoring networks, providing administrators with the tools they need to keep their networks running smoothly.
Use OpenNMS Appliance to optimize network performance, reduce downtime, and improve your overall operational efficiency.