The problem that computer networks have struggled with for years is access within a segment or broadcast domain. Traditionally, access is unrestricted, and masking is complex to manage. This blog post delves deeper into why and how Juniper Mist can provide a solution to this issue.

Why microsegmentation is important within a network?

In today’s market, we are becoming more and more aware of breaches and what problems they bring. Interestingly, most of these issues do not arise from managed endpoints, but rather from unmanaged endpoints, such as cameras or medical devices. The most effective way to secure and isolate these vulnerable endpoints is through segmentation, paving the way to micro-segmentation.

Herein lies the importance of fully shielding and mapping these devices. While asset visibility is crucial, equally important is achieving effective shielding and limiting access to what is necessary. Microsegmentation is vital in all industries, as every company has devices, they cannot patch themselves and that are not under their direct control but are on their network.  Consider the example of a compromised camera. Microsegmentation ensures that, at that critical point, the camera can only communicate with the server using a known protocol, preventing lateral movement between other cameras or further down the network.

The classic examples are Operational Technology (OT) environments, manufacturing, and healthcare, where the management of medical devices poses unique challenges.

Benefits of Microsegmentation

In the past, we had lots of freedom within the segment we accessed. But now, there are devices in several segments where the security level is not optimal. By limiting access to only what is truly necessary within a segment, we can enhance the security level without having to touch the suboptimal device.

Implementation Challenges

The challenge with microsegmentation lies in implementing policies with different vendors. Complications always arise because microsegmentation is specific to each vendor. Especially with management platforms allowing the pushing of only one type of device, attempting microsegmentation in a mixed environment is not advisable.

Automation with Juniper MIST

At NAC, we don’t grant access to anyone in a segment. We ensure that only devices verified by us are allowed on the network, especially in segment where we’ re applying micro-segmentation. Herein lies another challenge of handling unmanaged devices, the authentication can only be done through mac-addresses, and we all know those are easily spoofed. Therefore, limiting access after authentication is key.

Automation is certainly possible, especially when using Network Access Control (NAC) authentication. The policy being hit is associated with a specific ID, which can be returned using radius. This allows specifying that whenever this device connects to the network, this ID is passed along, ensuring the application of microsegmentation policies. NAC plays a crucial role in automating and facilitating this process, providing strict control over device access to segments, even with the implementation of micro segmentation.

Cloud VS On-Premises?

In the cloud, this issue is typically managed by the cloud provider. This characteristic is unique to the cloud environment, where each device sits in its own segregated “island,” and you have to open up specific connections between these individual things.

On-premises has been a challenge for years. Traditionally, all devices in the same segment had full access to everything within that segment. Now, especially with devices that are not under our management. making them harder to patch and, consequently, more challenging to isolate, we need to find a balance. We don’t want to make it complex for ourselves by putting all of those in their own segment. Instead, we prefer placing them in the same segment and then imposing constraints within that segment.

The Connection between Zero Trust and Microsegmentation

Microsegmentation falls completely inside the zero trust story due to the fact that only confirmed connections are allowed. When integrated with NAC, it goes beyond merely restricting connections; it also controls access to the entire network.

Microsegmentation fits seamlessly into a zero trust approach, but the extent to which it plays a role in your zero trust strategy is highly dependent on the specific environment, whether healthcare, IT, OT, production, manufacturing, etc.  Its role can vary significantly, ranging from being a substantial component to a minor facet, or it may not be part of the zero trust strategy at all, depending on the nature of the environment.

In a zerotrust story that includes unnmanged clients, microsegmentation provides the capability to isolate clients completely without introducing unnecessary routing complexities. On the other hand, for managed clients, more sophisticated solutions are often available to establish a robust a Zero Trust Network

Conclusion

In traditional segmentation, we restrict access to different subnet masks that are being routed. However, it is crucial not to stop there. The complexity of routing often poses challenges. This is where micro-segmentation fits in seamlessly. Having the ability to define access parameters within the same subnet is something that can make a significant difference.

 

Jarviss has extensive knowledge in Juniper Mist. If you are interested in learning more about these technologies.

Send us an email at info@jarviss.be or give us a call at +32 9 394 99 11.