This blog was originally published to the 128 Technology website – in 2020, Juniper Networks acquired 128 Technology. Learn more about the acquisition here.
For many years city planners built elevated highways. It was their way of bypassing congested surface arteries without digging up neighborhoods. But over time, the planners found that elevated highways didn’t improve conditions — they made them worse. So they scrapped overhead highways and returned to building them on solid ground. Virtual networks (VLANs) and outdated microsegmentation strategies are similar to elevated highways in that they’ve created more problems for network engineers than they’ve solved. These complicated overlays make networks difficult to manage and lack the fabric-wide security that’s needed to protect critical data.
Hypersegmentation redefines the process of segmenting and securing network traffic, making it a better solution for protecting your network from cyberattacks. Instead of overlaying inefficient tunneling technologies, it approaches the problem from within with an intelligent, software-defined approach to network segmentation that makes things much, much simpler.
THE EVOLUTION OF NETWORK SECURITY
Decades ago, engineers learned that basic firewall security doesn’t restrict unauthorized user access. While firewalls protected networks at the entry and exit points, they didn’t stop users from figuring out how to bypass restrictions and wage insider attacks.
VLANs evolved to solve the problem, but hackers still managed to find vulnerabilities within the networks, using forged identities, MAC flooding, and other techniques designed to gain access to restricted resources and data. In response, new security tools and network protocols were developed to overlay the VLAN structure, restricting access to certain endpoint devices and using virtual routers as a way to communicate between segments. Our industry refers to these tools and protocols as microsegmentation technologies, and they now form an expensive, hard-to-maintain infrastructure that diminishes network performance. Hypersegmentation, on the other hand, takes much of this complexity out of virtual networking, while improving security and performance, too.
WHAT IS HYPERSEGMENTATION?
As opposed to overlaying technology, hypersegmentation creates a new virtual street map that makes it easy to apply security policies on an application basis. This is made possible by software-defined network (SDN) technology that segments networks based on how users access them, while ignoring the actual physical location or endpoint type. For example, CRM users can access the applications they need from any location, but they’re restricted from accessing other applications that share the network. Since hypersegmentation uses virtual routers, the implementation cost is much lower. It’s also far more secure.
Hypersegmentation is a key component of the Zero Trust Security approach. As the name suggests, it trusts nobody, denying all packets by default and authenticating all traffic before it enters the network. Data is then organized into segments around the needs of users, groups, and applications. In a network that’s powered by hypersegmentation, these segments are called sessions.
HOW DOES IT WORK?
Outfitting a network with hypersegmentation begins by first defining all the services, resources, and devices your network supports. Examples include CRM systems, financial applications, ERP platforms, mail servers, voice services, and web resources. Access to these services is then provided to tenants by administrators as needed. A tenant represents a collection of users and their devices that share common policies. Services represent specific applications that a network delivers and to which tenants have access. The umbrella under which your tenants and services exist, along with security properties such as authentication and encryption keys, is known as an Authority, or administrative domain.
This top-down design ensures resources are provided only to the users who need them. For instance, a sales manager may be a member of the Sales tenant and have access to the CRM service, but not the ERP service, while all users may be members of the Enterprise tenant with access to the voice services.
With hypersegmentation, data travels in sessions rather than packets. The virtual router typically classifies the source of the session request into a configured tenant in one of three ways:
- It defines the session for an exclusive single tenant.
- It arrives on an interface from a prefix that has been specified as belonging to a tenant. (In this case, a single interface can be partitioned into separate tenants based upon subnet mask.)
- It contains predefined metadata classified by an adjacent session.
Hypersegmentation applies intelligent, dynamic encryption to each session, authenticating as it moves within and between networks. Administrators apply universal route policies to sessions going through firewalls to other networks. They can also enforce rate and bandwidth constraints on each session.
COMPARING MICROSEGMENTATION WITH HYPERSEGMENTATION
Microsegmentation describes an array of network protocols (IPsec, GRE, VXLAN, and GENEVE) that overlay physical networks. While these protocols intend to make VLANs more secure, they only add cost and complexity.
Hypersegmentation ignores the overlay and physical network design and addresses the data itself. This new concept provides several benefits including improved flexibility, scalability, and security. It not only allows data to move within defined segments but between segments as well. In addition, hypersegmentation extends the network beyond physical borders. That is, it applies encryption rules to other networks, applications, and mobile devices for a truly end-to-end solution.
HYPERSEGMENTATION — A NEW STANDARD FOR MODERN NETWORK DESIGN
Combined with Zero Trust Security protocols, hypersegmentation is a solid option for securing your network. As cyberattacks threaten network and data security on a daily basis, following Zero Trust Security principals allows you to embed security into the network itself, rather than painting it on with an overlay. The deny-by-default policy filters out security threats at the endpoints, ensuring that the data that’s traveling on your network is secure.
Maintaining and protecting old technology is often more expensive than buying something new, not to mention more time-consuming. That’s what city planners realized when they started building elevated highways, and it’s also true for overlay networks. Hypersegmentation provides a better way forward, driving the cost, complexity, and hassle out of network design and bringing better security with it.
