Zero trust network access (ZTNA) is a network security approach where all devices are considered untrustworthy by default, regardless of their location. Also sometimes referred to as “perimeterless security,” ZTNA requires every transaction between entities on the network to be independently authenticated, authorized, and encrypted.Moving from more traditional security models to zero trust can be a daunting task. This is especially true for larger enterprises leveraging often complex combinations of network infrastructures, including on-premises applications and services, cloud-based services, and remote and distributed workforces.
Traditionally, networks have employed network segmentation to improve manageability as well as deploy and manage security services and policies between segments. Making these segments progressively smaller and designing micro-segments as part of the network is an ideal intermediary step for an enterprise seeking to migrate to a fully zero trust security model.
In this article, we’ll discuss segmentation, micro-segmentation, how the latter benefits the zero trust approach, and some of the challenges and best practices associated with this methodology.
Summary of Key Micro-Segmentation Concepts in Zero Trust
The following table summarizes the key concepts involved in micro-segmentation and its relation to the zero-trust security model.
Network Segmentation Design Principles
What is Network Segmentation?
Network segmentation is a design principle that has been used extensively for decades in the networking world. Separating large enterprise networks into smaller, more manageable segments is vital to ensuring ease of manageability and administration. It’s also important for employing security measures tailored to each individual segment.
The protocols and structures used to implement networks have been designed with segmentation as part of their operation. For example, the fundamental architecture of the IPv4 protocol is based on the ability to segment networks into subnets using the subnet mask. Similarly, IPv6 maintains this capability as a core component of its design. Virtual local area networks (VLANs) are used to segment networks at Layer 2, delivering smaller broadcast domains within which IPv4 and IPv6 subnets can operate.
In addition to other benefits, this approach to network design is of utmost importance for implementing security measures, offering greater flexibility in the application of security policies for each individual network segment. Indeed, security measures are typically employed at the border of each individual segment.
A well-known example of the segmentation principle that is often employed at the network edge is the demilitarized zone (DMZ), which seeks to use network segmentation to partition internet-facing services into a separate subnet. The following diagram shows an example of a DMZ:
Servers found in the DMZ must be reachable by users on the internet through the WAN router. Conversely, the hosts found within the LAN should not be accessible from the internet. The DMZ segment and the LAN segment have two different security policies that the firewall is able to employ individually for each segment.
Segmentation is crucial for employing security policies for traffic moving from one segment to another, thus safeguarding both the DMZ and the LAN against malicious attacks from the internet. However, it does not protect against malicious attackers or processes that may find themselves inside the DMZ or the LAN.
One way to mitigate against such attack vectors is to employ micro-segmentation.
What is Micro-Segmentation?
As its name suggests, micro-segmentation is achieved by creating smaller network segments. Doing so means that you are increasing the number of segments for any given network while simultaneously decreasing the size of each segment so that there are fewer devices within each.
The benefits of such an approach include the following:
- A greater degree of internal communication will be required to traverse segment borders, allowing security policies to be applied more frequently.
- Any potential malicious user or process within a segment will be more highly restricted due to the fact that each segment is necessarily smaller, limiting the potential harm that they can do.
Using IPv4, we can make smaller segments by subnetting our networks. Using a /27 subnet mask, for example, will deliver a network segment with 30 usable IPv4 addresses; /28 will give us 14; and /29 will give us six usable host addresses, thus limiting the number of hosts within each subnet to a small number.
How small can these segments be made? Well, if you take it to the extreme, you can create network segments with /30 subnets, where each segment contains only two hosts: the end device and the default gateway. Thus, each end device will exist within its own subnet or segment.
You may have noticed that a /30 subnet will actually provide for four IP addresses. Yes, this is the case, however, as with all IP subnets, the first and last addresses in the subnet are reserved for the network address and the broadcast address respectively, so there are only two usable host addresses in such a subnet.
Now, having said that, it is actually possible to use a /31 subnet for point-to-point links. Such a subnet has only two addresses, which under normal circumstances, would be the network and broadcast addresses, without any usable host addresses. However, as described in RFC 3021, it is possible to use such a subnet. Any device configured with a /31 subnet that supports the feature, will be able to operate normally in such a configuration.
IPv6 can also be configured to behave in the same manner using appropriate prefix values.
Micro-Segmentation in the Context of ZTNA
Micro-segmentation goes beyond merely creating smaller subnets. While it does involve dividing a network into smaller, isolated segments, its primary focus is on creating security policies for individual workloads, applications, or services. This involves implementing strict access controls and limiting communication between workloads to only those connections that are explicitly allowed.
In essence, micro-segmentation takes the segmentation of the network to a higher level associated with the OSI model. Instead of segmenting subnets, which is at the network level of the OSI model, we begin segmenting workloads, which is at the application level. A workload can be defined as any computational task, process, or service that runs on a computer or a group of computers within a network.
These micro-segments can be configured and managed using additional network mechanisms that can define and enforce much more granular security policies. This level of control provides enhanced security and adaptability across various environments, including on-premises, cloud, and hybrid infrastructures.
Technologies like SDN (software-defined networking) and NFV (network function virtualization) facilitate the creation of these types of micro-segments based on specific applications, services, or workloads. Container orchestration platforms can also contribute to micro-segmentation by isolating particular services and applications.
Implementing micro-segmentation of this kind in a traditional network doesn’t achieve the same level of security as ZTNA, but it does come several steps closer to the final destination, which is a fully ZTNA-enabled network.
Best Practices for Implementing Micro-Segmentation
Using Network-Centric Tools
NFV and SDN are two complementary technologies that can significantly aid in the implementation of micro-segmentation. They provide the flexibility, control, and automation required for automatically and dynamically creating and managing security policies.
NFV decouples network functions from dedicated hardware appliances and implements them as virtualized software components. This allows for greater flexibility, scalability, and cost efficiency in managing network functions. In the context of micro-segmentation, NFV can help in various ways:
- Simplifying the deployment and management of security functions, such as firewalls, intrusion detection systems, and access control systems, by virtualizing them
- Enabling the dynamic allocation and adjustment of network resources based on workload requirements, ensuring optimal security and performance
- Facilitating the centralized management and orchestration of virtualized network functions, which streamlines the implementation and enforcement of micro-segmentation policies
Similarly, SDN separates the control plane (which is responsible for making decisions about how traffic is treated) from the data plane (which is responsible for forwarding traffic), enabling centralized and programmable control of the network. This allows for more dynamic, flexible, and efficient network management. In the context of micro-segmentation, SDN can help by doing the following:
- Providing a centralized control plane that simplifies the management and enforcement of micro-segmentation policies across the entire network
- Offering greater programmability and automation, which enables the dynamic creation, modification, and removal of network segments based on workload requirements and security policies
- Facilitating more granular control over network traffic flows, allowing administrators to define specific rules and paths for communication among workloads, applications, and services
- Enhancing visibility and monitoring across the network, making it easier to detect and respond to security threats or performance issues
By leveraging NFV and SDN technologies, organizations can more effectively implement micro-segmentation, creating dynamic security policies that adapt to their specific needs and ensuring a higher level of protection for their workloads, applications, and services.
Container orchestration platforms are also involved in the application of micro-segmentation. These platforms use mechanisms to implement micro-segmentation within containerized environments. An example of such a platform is Kubernetes; in this section, we’ll use it as an example of how micro-segmentation can be achieved within an orchestration platform.
Kubernetes manages the deployment, scaling, and operation of containerized applications, which are grouped into units called “pods.” Micro-segmentation in Kubernetes focuses on controlling and isolating network traffic among these pods using various methods and approaches, including the following:
- Network Policies: Kubernetes uses network policies to define and enforce the communication allowed between different pods within a cluster. Network policies allow you to control ingress and egress traffic between pods, effectively implementing micro-segmentation at the container level. This helps limit the attack surface and prevent unauthorized access to applications and services running in containers.
- Namespace isolation: Kubernetes allows you to create separate namespaces for different applications, teams, or environments within the same cluster. By using network policies, you can control and isolate traffic between namespaces, further enhancing the micro-segmentation capabilities of your containerized environment.
- Consistency across environments: Containerized applications can run on various platforms (on-premises, in the cloud, or hybrid), and Kubernetes ensures that micro-segmentation policies are consistently applied across different environments. This helps organizations maintain a consistent security posture regardless of where their containerized applications are deployed.
- Automation and scalability: Kubernetes automates many aspects of container management, including scaling and updating applications. This automation extends to the enforcement of network policies, ensuring that micro-segmentation remains effective and up to date as the containerized environment grows and evolves.
As is the case with all types of technologies, implementing micro-segmentation is not without its challenges. Some of the most significant that you may face include concerns in the following areas:
- Increased complexity: Micro-segmentation requires a deep understanding of network architecture, applications, and data flows. It can be challenging to map and manage the relationships among numerous segments and enforce security policies consistently.
- Scalability: As the number of workloads, services, and segments increases, administrating micro-segmentation becomes more complex. There is a huge increase in the number of policies to employ and manage, and ensuring that policies and configurations are consistently applied across a large number of segments can be a significant challenge. This is one of the reasons for the extensive use of network automation and virtualization technologies such as SDN and NFV.
- Policy creation and management: Defining and maintaining security policies for each micro-segment can be time-consuming and may require a high level of expertise. Incorrectly configured policies may lead to security vulnerabilities or disruptions in normal operations.
- Visibility: Gaining full visibility into the network and understanding the interactions between segments can be difficult. This can make it challenging to monitor and identify security threats or performance issues across the entire network.
- Interoperability: Micro-segmentation may involve integrating various technologies, such as SDN, NFV, and container orchestration platforms. Ensuring that these technologies work seamlessly together and with existing network infrastructure can be challenging.
- Technology: The use of these technologies, such as SDN and NFV and container orchestration platforms will require additional network hardware and software that supports these features and capabilities. In addition, staff with the appropriate skillsets and technical training are required.
Remember that we are approaching micro-segmentation as an intermediary step to reaching a fully ZTNA-enabled network security implementation. As such, micro-segmentation is a single, albeit significant, step in the migration and transition process. Moving from a traditional network architecture to an intermediate micro-segmented model can be complex and disruptive if not done correctly, and it may require significant changes to the network configuration and operational processes as well as staff training and adaptation.
To address these challenges, organizations should carefully plan their micro-segmentation and ZTNA migration strategies, invest in the necessary tools and technologies, and involve experts with the required skills and experience. Additionally, ongoing monitoring, management, and periodic reviews of the micro-segmentation implementation can help ensure that it continues to meet the organization’s security and performance goals.
ZTNA Beyond Micro-Segmentation
Micro-segmentation serves as an intermediary step between traditional network security and ZTNA by introducing granular access controls and enhanced security measures that go beyond traditional perimeter-based defenses. While not as comprehensive as ZTNA, micro-segmentation does bring us closer to realizing a fully ZTNA network. However, it is essential to note that it does not entirely cover the ZTNA principles.
To achieve true ZTNA, organizations need to further extend security policies and access controls, considering user roles and authentication, device posture, and continuous evaluation of trust, among other factors. Optm's ZTMesh solution offers a streamlined ZTNA approach to achieve this as part of an incremental deployment strategy, allowing for the phasing out of potentially complex micro-segmentation strategies.
Nonetheless, micro-segmentation serves as a valuable stepping stone toward implementing ZTNA by introducing more robust and detailed security measures within the network.
Last Thoughts on Micro-Segmentation Zero Trust
Micro-segmentation is a crucial component of a migration strategy to achieve fully realized ZTNA. By dividing the network into smaller, isolated segments based on individual workloads, services, or applications, micro-segmentation enhances security and control through strict access and communication restrictions. Technologies such as SDN, NFV, and container orchestration platforms like Kubernetes enable the implementation of granular security policies, providing a foundation for ZTNA. This approach of isolating and securing every node and individual workload paves the way towards a ZTNA reality, wherein all network transactions are authenticated and encrypted, further bolstering the network’s security posture.