Supplanting legacy protocols, hyper-segmentation delivers
scale-out service separation and seamlessly traverses the
entire organization, from device to data center.
With hyper-segmentation, organizations can establish
borders to defend against unauthorized lateral movement,
reduce their attack profile, deliver highly effective breach
isolation, improve the effectiveness of anomaly scanning,
and greatly improve the value of specialist
security appliances.
As businesses undertake the digital transformation, the
trends of cloud, mobility, and IoT converge. Organizations
need to take a holistic approach to protecting critical
systems and data, and an important area for attention is the
ability to isolated traffic belonging to different applications.
Effective network segmentation enables the organization
to deliver separate virtual networks, each tuned to meet
specific requirements. Doing so separates essential
applications, protects confidential data and serves
as the foundation for a sound security strategy.
The most literal approach to network segmentation is to run
separate physical networks. However, this method isn't just
costly, but simultaneously maintaining multiple networks is
time-consuming in the extreme; a burden that could easily
cripple most IT departments.
Traditional VLANs have been popular given that they can
be used to create logical domains that can span multiple
physical LAN segments. However, VLANs require significant
manual configuration and do not easily scale beyond the
edge of the network.
A carrier-focused service like MPLS is another option,
although this form of traffic separation is typically only
used by large enterprises, and then normally only for wide area connectivity. It requires a significant investment in
complex networking equipment, and a highly trained staff
to provision the network and maintain the configuration.
The Data Center trend for micro-segmentation or macro-segmentation (depending upon marketing preferences)
that delivers finely tuned connectivity between virtual
machine hypervisors is certainly a step in the right direction.
It is, however, by definition only a partially solution to a
much broader problem: application traffic traverses the
entire network, and is not contained within the confines of
the Data Center.
Extreme, however, enables organizations to easily and
seamlessly create network-wide virtual segments. These
segments utilize a shared, independent control plane that
is abstracted from network hardware elements, and can be
implemented end-to-end, from device to data center. This
capability is called hyper-segmentation.
Extreme's hyper-segmentation technology, enabled by
the Extreme Fabric Connect technology, helps secure
the network by virtually segregating traffic according to
enterprise-specific requirements: for example, by business
unit or for a compliance-driven application such as a
payment card financial transactions. Uniquely, these hyper-segments can span the entire network. They are established
using a simplified edge-only provisioning capability, and
automatic attachment is supported thereby improving time-to-service and reducing the operational burden.
Hyper-segments can also be dynamically triggered by
users, endpoint devices, applications, servers, networking
nodes, and business policy. The underlying technology's
programmatic nature allows for seamless integration with
workflow platforms.
Service Separation
Fabric Connect handles traffic forwarding in a fundamentally
unique way, building connectivity as a series of isolated
virtual networks that interconnect specifically-provisioned
end-points only. Traffic belonging to a specific service is
encapsulated with the appropriate header at the Edge,
and remains isolated end-to-end across the network
from unconnected service traffic and is also opaque to
intermediate network nodes.
Uniquely, Fabric Connect isolates foreign services from each
other, delivering a true "ships-in-the-night" capability. This
mitigates the need for intra-network ACLs and Firewalls;
VSNs are oblivious to each other, as are hosts on different
VSNs, and there is no risk of traffic blurring between VLANs
or seeping via generic routing tables.
End-to-End Reach
Unlike VLAN tagging, domain stitching, or using MPLS
within the enterprise, Fabric Connect allows hyper-segmentation to natively extend end-to-end across
the network; from device to data center. Contrary to
conventional topology-specific technologies such as
VLANs and MPLS, network-wide segmentation ensures
that traffic belonging to specific to a group of users or a
particular application remains isolated for the entirety of its
transmission from source to destination.
With end-to-end segmentation there is no point where
traffic flows belonging to different applications is allowed to
mix. Everyday examples of how this might be implemented
include Guest WLAN access that is isolated from normal
corporate traffic and only permitted to connect to the
Internet; IP Telephony sessions from handsets to call server
are partitioned from other applications; all traffic associated
with a payment card service is isolated as it traverses a
shared infrastructure.
This has the combined benefits of contiguous end-to-end
service delivery and reducing complexity and operational
burden. Network-wide segments are seamless and created
with simplified configuration commands at the network
edge. Service configuration is then automatically distributed
throughout the network. Organizations are now able to add
new services or make changes to existing services in minutes
rather than days, weeks, or months.
The Fabric Connect control plane also offers flexibility in
network design: any logical or physical topology can be
created – whether it is Ring, Tree, Hierarchical, or Layer 2 or
Layer 3, or any combination – anywhere there is Ethernet
connectivity. This eliminates traditional design constraints and
offers the freedom to build protected service segmentation
on demand, wherever and whenever it is needed.
Lateral Borders
Antiquated policy and an over-reliance upon conventional
perimeter defense can leave companies ill-prepared to face
digital-age threats. In some recent cases, attackers have
been known to initially focused on the external corporate
website, seeking to leverage this as a launch point.
Exploiting unrecognized or unpatched vulnerabilities to
gain entry, and taking advantage of the borderless nature
of the internal network, has permitted attackers to simply
roam at will until data of sufficient value has been found,
mined, and extracted.
Extreme delivers businesses a smart alternative to
conventional, outdated techniques and technologies
that are proving largely ineffective to digital-age threats.
Solutions created using Fabric Connect leverage, at their
foundation, a next-generation network virtualization
technology that naturally compartmentalizes traffic. This
unique capability is very complementary to defense-indepth and specialist overlay services, supporting data
protection for security-conscious organizations.
Complementary Security
Hyper-segmentation is very complementary to defense-in-depth and specialist security service overlays, enhancing
data protection for security-conscious companies.
Leveraging Fabric Connect, it becomes easy to implement
additional layers of security, such as state-aware firewall and
intrusion detection. These can then be configured to focus
on a very narrow profile of that traffic which is acceptable
and a normal baseline, versus what is potentially anomalous.
In other words, establishing narrowed connectivity and
information flow domains allows for known-good traffic
patterns to be baselined, and anomalies to be more easily
and quickly detected. Therefore, when suspect behaviors
are identified, they can be signaled to reporting platforms
for detailed examination and corrective action.
Leveraging the dynamic network segmentation capabilities
of Fabric Connect, individual anomalous devices, or
entire end-to-end systems, can be moved to separate
logical segments. This allows for specialist analysis to be
conducted, in real-time, while minimizing exposure to a
potential threat. Rather than only being able to block a
suspect device, and therefore potentially over-reacting to
a false positive, organizations can also choose to adopt
a "wait and see" approach; essentially a half-way house
between normal application access and complete isolation.
In cases where malicious activity has passed a defined
threshold, offending systems can be swiftly quarantined,
and forensics tools brought to bear.
Additionally, when deployed in concert with an
Enterprise-class access control broker such as Extreme
Identity Engines, Fabric Connect leverages fine-grained
authentication and authorization to create very effective
policy enforcement points; no connectivity is provided
without users and/or devices first proving themselves.
Edge-Only Provisioning
Network-wide segments are seamless, created with
simplified configuration commands on an Edge node.
Fabric Connect automatically permeates the configuration
throughout the network, eliminating error-prone and time consuming network-wide manual configuration practices.
Organizations are now able to add new services or make
changes to existing services in minutes rather than days,
weeks, or months.
Edge-only provisioning completely removes any need for
service-specific configuration in the Core, or any other
intermediate Fabric Connect node; if a service is present
on just two nodes, then the necessary configuration appears
on only these two nodes, nowhere else, regardless of the
network topology or size. This completely revolutionizes
the configuration and change paradigm, from hop-by-hop
to end-to-end; configuration becomes vastly simplified and
change is de-risked.
Fabric Attach facilitates the automatic attachment
of authenticated end-point devices directly into their
appropriate VSNs. Equally beneficial at both the Wiring
Closet and Data Center edges, Fabric Attach supports
dynamic service creation and removes the delays and risks
associated with manually configuring conventional networks.
Massive Scalability
Many conventional networks, including those offering
virtualization capabilities, remain constrained by the original
VLAN specification that limits the number of unique
services to just over four thousand. This number may have
been sufficient when segmentation was applied only very
coarsely, but, in an age of IoT, mass segmentation will be
crucial to delivering both effective scalability and isolation-based security.
Thankfully, Fabric Connect delivers a distinctly different
operational experience. Simply put, communication is
established between two or more devices by all being
configured as members of the same Virtual Service
Network (VSN). This configuration is applied only at the
Fabric Edge, using one of 16 million unique Service IDs, and
creates a virtual segment that can span end-to-end across
the network. Crucially, the core of the network does not
need to be re-configured to support a new or changed VSN,
allowing services to be dynamically provisioned without
introducing risk.
Dynamic Workgroups
Some organizations maintain a need for additional levels of
separation to be applied, either temporarily or in the long
term. Examples include were "Chinese Walls" are created
for projects or ongoing joint-venture operations. However,
the individuals and devices involved in such activities can
often need to move between these sensitive functions and
their more routine roles.
This desire to selectively apply enhanced protection can
present something of a challenge as many organizations
have enacted policies that forbid the use of encryption
technologies for communications and storage. This is as a
result of these technologies becoming closely associated
with the use of the "Dark Web" and nefarious activities
such as organized crime and terrorism. Law enforcement
agencies argue against the uncontrolled availability and
wide-spread use of this technology, and it is often blocked
at security demarcation points.
This dichotomy makes life difficult for those organizations
that wish to responsibly apply enhanced levels of
protection for particularly sensitive applications and data
but need to ensure that they do not become an unwitting
third party to serious illegal activity.
Extreme is able to provide a solution to this requirement
through a combination of unique technologies. Teams,
being people and/or devices, can be dynamically created,
automatically relocated to a new and unique network
segment, and additional levels of protection can be
applied. The programmatic nature of Fabric Connect
allows for these subject-specific private networks to
be established without the need to involve manual
configuration or provisioning. Leveraging an Extreme
Breeze-powered workflow, users can self-provision the
required connectivity and services: private network
segmentation, IP Address re-assignment, and access to
restricted implementations of applications such as unified
communications, video conferencing, and file sharing. The
private network is available only to authorized personnel
and is active only as required.
Imagine the scenario where a project team working on
M&A activity has a weekly call: a single click on the meeting
link would automatically trigger a series of background
provisioning changes that form this group on individuals,
and their relevant devices, into a separate private network.
All of the normal Fabric Connect stealth capabilities apply,
and through a partnership that Extreme has established
with security innovator Senetas, it is also possible
to selectively add end-to-end encryption. Therefore,
organizations can dynamically deliver a genuinely private
and secure workgroup networking capability.
The world is on the verge of an unprecedented expansion
in networked connectivity, driven by the combined
forces of the Internet of Things and Smart infrastructures.
No organization can afford to ignore the importance
of protecting access to its network, applications, and
information. Without proper controls, a breach of one
device could provide a hacker with the virtual keys to
the castle.
Hyper-segmentation delivers scale-out service separation
and seamlessly spans the entire organization, from device
to data center. Critical applications and confidential data
can be easily and automatically compartmentalized, users
and devices partitioned, and policy boundaries established.
Extreme provides the networking attributes that are
fundamental for businesses operating in the age of IoT.
With hyper-segmentation, organizations can establish
borders to defend against unauthorized lateral movement,
reduce their attack profile, deliver highly effective breach
isolation, improve the effectiveness of anomaly scanning,
and maximize the value of specialist security appliances.
Lateral movement is regulated and this helps defend the
greater network should one element be subject to attack;
breach isolation is an important aspect of defense-in-depth.
Intelligently segmenting applications and content enables
more effective baselining and anomaly scanning.
Extreme delivers technologies that help secure the
everywhere-perimeter. Organizations can significantly
reduce the level of network exposure and they can avoid
the chinks that are normally used for an exploit.
Empowering businesses to differentiate their critical
application and confidential data, to efficiently and with
massive scale partition the essential, and to obscure and
harden the network, provides a comprehensive security
foundation in an epoch of cyber-attack and IoT.
Extreme delivers is a solution set of next-generation
capabilities that address the challenges of the everywhere perimeter. It provides a foundational layer for the
specialist security services employed today, enabling
their effectiveness to be maximized. Extreme leverages
a shared control plane that seamlessly manages hyper-segmentation, native stealth, and automatic elasticity across
the organization. Using software-defined and identity
technologies to automate onboarding and access from users,
devices, networking nodes, and servers, Extreme makes
protecting and managing everywhere-access practical.
To learn more about Extreme Networking, and to obtain additional information such as white papers and case studies, please contact your Extreme Account Manager or Authorized Partner or visit us at www.extremenetworks.com.