Page 48 - index
P. 48
.-82 %2 2(% .6 -2. 2(% %-(.31% %#%-2 0%!#(%1 %04% !1 !
%,)-$%0 2. %%/ .30 %25.0* %',%-2%$
By Reuven Harrison, CTO, Tufin
In light of recent breaches, where third-party credentials have been used to access entire
networks, IT organizations are turning their attention to the risks that can result from basic
network segmentation errors.
Clearly anyone who’s not directly managing these systems should not have access to them, but
let’s say a very determined and skilled hacker finds their way in - how can you quarantine your
most vulnerable systems to keep them from falling victim to the ‘lateral movement’ that many of
today’s most sophisticated attacks leverage?
Proper network segmentation is perhaps the most effective way to do this, but make no mistake,
network segmentation is very hard. Complex networks house hundreds of devices, and
enterprises typically have complicated security policies with hundreds of rules. At Tufin, we see
customers with hundreds of firewalls, routers and switches across their network, each on
average having hundreds of rules per device. A typical enterprise therefore has to consider tens
of thousands of rules when segmenting their network –to maintain a secure and compliant
enterprise.
In addition, most organizations are dealing with dozens of changes a week to support new
business applications, and users are demanding technologies like virtualization and cloud –
each of which is a force-multiplier to this complexity and can impact the integrity of network
segments.
In many organizations, network segmentation has been a ‘set it and forget it’ effort, which once
done is almost immediately out of date. But network segmentation needs to be managed, and
security policies continuously enforced to maintain the desired network segmentation.
It’s helpful to think of your network in zones, so you can visualize and manage your network
segmentation, either manually or in an automated fashion.
Consider the business drivers as you map out your zones, including compliance (e.g., PCI
DSS), industry or company-specific risks, third-party contractual requirements, and company-
specific business processes.
Once you have mapped this out, you can instantly see detailed insights on your network
segmentation, such as what services are allowed between different network zones, zone
sensitivity etc.
When you can easily visualize your zoning, it enables you to quickly understand traffic-flow
restrictions between zones, the level of sensitivity within each zone, and zone-to-zone policies
that need to be applied.
! " $
! # ! "
