Industry Trends

Microsegmentation in a Multi-Vendor Environment, Without Disrupting Operations

By William Noto | September 09, 2022

Network segmentation offers many benefits for businesses. Segmentation improves security by preventing attacks from spreading across a network and infiltrating unprotected devices. In the event of an attack, segmentation ensures that malware cannot spread into other business systems. Network segmentation also reduces congestion that often results in performance drop-off. This is particularly important to resource-intensive services like power plants, factories, water treatment systems, oil rigs and other industrial environments. 

Network segmentation can be especially tricky in an OT environment due to the risk of accidently impacting a production process during the segmentation process. In an IT environment, losing a device temporarily may have little business impact, but for OT environments, going offline can have enormous negative consequences. The challenges can multiply when attempting to segment an environment that features devices from multiple vendors. However, with the right tools and processes in place, it is possible to not only successfully segment your network but divide the network even further to reap the additional advantages of microsegmentation. 

What is Network Segmentation?

Segmentation is an architectural approach that divides a network into multiple smaller segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies. With network segmentation, businesses can prevent unauthorized users from gaining access to their most valuable industrial assets, such as human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs). These assets are located within an organization’s operational technology (OT) or industrial control system (ICS) environments, which means it is vital to secure all locations against cyberattacks.

Segmentation can be achieved by physical separation using a firewall or router, logical separation, or both, depending on the specific instance. Virtual LANs (VLANs) are typically used to provide the basic segmentation functionality.

What is Network Microsegmentation?

Microsegmentation is a network security technique that enables security architects to further segment an environment for lateral visibility of all assets in the same broadcast domain. Granularity is achieved by logically dividing the network environment into distinct security segments down to the individual workload level. Because policies are applied to individual workloads, microsegmentation offers enhanced resistance to attacks, and if a breach does occur, limits a hacker's ability to move between compromised applications.

What are the Differences between Network Segmentation and Microsegmentation?

Segmentation and Microsegmentation of networks vary in several key ways, including what level it affects, the amount of policy granularity that is possible, and how much visibility and control there is of network traffic.

 Network Segmentation

 Microsegmentation

 Perimeter level; operates across zones and subnets 

 Controls lateral movement across hosts

 Coarse policies

 Granular policies

 Visibility and control of north-south traffic

 Visibility and control of both north-south and east-west traffic 

Steps to Segmenting Your Network

The foundation of segmentation is a network and endpoint discovery followed by endpoint classification. It’s nearly impossible to control what you don't know exists on your environment, which is why the first step to your journey should be identifying what you have in your environment.

FortiNACTM is Fortinet’s network access control solution that enhances the Security Fabric with visibility, control, and automated response for everything that connects to the network. It allows you to easily perform the three steps needed to start the segmentation process.

Network Discovery

FortiNAC offers the built-in ability to discover over 3,000 unique wired, wireless, and VPN products. The FortiNAC server has all the information to identify those devices, manage those devices, and identify what's connected to those devices. To get started with FortiNAC, you either deploy a physical virtual appliance on premise, or you can deploy that in the cloud. As long as the FortiNAC appliance has IP connectivity to your environment — your environment being your managed switches, managed wireless, VPN, firewalls, and routers — then you can see all of that infrastructure from a centralized location.

Endpoint Discovery

The second step after the network discovery is the endpoint discovery, using the infrastructure revealed in Step 1 to now tell us what's plugged in. The switch environment, reading the MAC address table, is the primary mechanism for determining what's plugged in. Using FortiNAC, it’s possible to get the MAC address, the switch, and the port. If it’s wireless, we know what SSID someone's connecting on. At this point in the process, every endpoint device is initially identified as a “rogue device”, but the MAC and IP addresses have been identified for each endpoint.

Endpoint Classification

Step three in this process is endpoint classification and profiling. Before you try to segment anything by putting it in a VLAN, you must accurately identify each device. The classification piece of this process primarily leverages active and passing profiling rules. Because OT environments typically can’t afford the risk of device failure that comes with active scanning, FortiNAC offers 21 passive methods of device profiling. In addition to passive scanning, FortiNAC can perform smart active scans — using additional information such as the IP address or vendor Organizational Unique Identifier (OUI)— that help limited the risk of overwhelming any OT device. Once all endpoints have been successfully classified, segmentation and/or microsegmentation can begin.

Microsegmentation in a Heterogenous Environment

A recent Fortinet poll showed that 44% of participants are performing physical segmentation using firewalls, while another 36% are utilizing VLANs within their environment for segmentation purposes. Only 6%, however, are currently leveraging the power of microsegmentation. When properly performed, microsegmentation enables visibility north-south as well as east to west — and in the case of microsegmentation in a heterogeneous environment, irrespective of what devices you have within your environment.  

In a flat network, there is no segmentation whatsoever. All assets have visibility to each other, and there is no control or visibility into any assets that are in the same Layer 2 broadcast domain. However, your SCADA master or engineering station will have full visibility into your environment. 

Basic segmentation uses VLANs or even physical segmentation via your firewall to separate 802.1Q traffic. This allows you to have clear visibility into north-south traffic because of basic segmentation, creating a flow of traffic between the different segments in your environment.

By adding managed switches that support private VLANs, you can utilize microsegmentation. At this point, you will have the ability to not just have north-south visibility and control, but also east to west visibility and control. Even though your HMI is in the same broadcast domain (the same Layer 2 broadcast domain) with the PLC, you can see when they're talking to each other. You can have visibility into the traffic between the two assets, as well as visibility and control of what other assets within your environment they have access to. That is the exquisite level of control that microsegmentation provides.

The beauty of FortiNAC is that it allows you to extend control of the network to third-party products — in other words, in a heterogenous environment. This means you can easily implement microsegmentation policies and change configurations on switches and wireless products from more than 70 different vendors. In addition to controlling microsegmentation on third-party switch via the FortiNAC, you may also use microsegmentation to connect a third-party switch to FortiGate, the next-generation firewall from FortiNet.

Detailed segmentation of the network enables devices and users to access necessary resources while blocking non-authorized access. FortiNAC creates network segmentations dynamically based on the identity of users or devices, their roles, risk levels and security policy adapting to changing conditions, ensuring the right level of access to specific applications and resources, and reducing attack surface through isolation of compromised devices. In this manner, if a device is compromised, its ability to travel in the network and attack other assets will be limited. FortiNAC helps to protect critical data and sensitive assets while ensuring compliance with internal, industry, and government regulations and mandates.

Learn more: In this 70-minute webinar, Fortinet’s Kunle Adetoro, CSE of Operational Technology, and Rick Leclerc, FortiNAC Solution Architect, examine the benefits of a phased implementation approach to implementing a security solution in your OT network. You’ll also learn how to achieve microsegmentation in your multi-vendor network without introducing chaos as well as the importance of investing in a platform to secure all layers of the network.