Hybrid Architectures – You Have Choices

Network architectures have evolved vastly over the last 10 years.  When connecting enterprise users to the data center (on-premise or in the cloud) you have options for access.  Let’s look at a these hybrid architectures and how the perimeter is changing to support zero trust practices.

Network Micro Segmentation

Really from the beginning we’ve been segmenting networks for many reasons.  As networks advanced we connected these networks through gateways to build MAN / WAN and now today with software VLAN or virtually with a hypervisor.

Defining perimeters in a segmented architecture is done with firewalls, routers, and switches.  We used this perimeter for defining access controls as well as making decisions for sensors placement.  Palo Alto, VM Ware, Checkpoint are all great providers.  When considering segmentation providers its important to understand your organizations attack surface.  For example if you are allowing inbound traffic you’d want to consider a provider that includes a NGFW that’s L7 aware.

This architecture is best suited for large enterprises that build their own networks.  It can offer great flexibility but are capital intensive and usually longer term projects.  Most organizations that practice micro-segmentation are looking at adding identity aware proxies to augment this approach. This hybrid approach quickly enables mobility, cloud deployments, and other technology advantages.

Software Defined Perimeter

Software defined networks allow for the control of data flow by using a control plane.  This lead to a “Black Cloud” that security professional use to create software defined perimeter.  A SDP controller will control channel and the device will transmit over the data channel.

This relatively new security architecture was first used in the Defense Information System Agency (DISA) and Global Information Grid (GIG) around 2007.

Defining perimeters in SDP is simplified with this controller / gateway architecture.  All providers in this space such Zscaler, Cyxtera and Vidder provide for advance security detections and policy enforcements.

Much like network segmentation this approach is still capital extensive.  By using an abstract control plane the long term costs benefits outweigh upfront costs.  This approach works best for organization that are familiar with VPN / IPSec as SDP still uses tunnels.  Most organizations can quickly move away from VPN’s to support a zero trust architecture.

Identity Aware Proxies

In early 2017 Google announced their identity-aware proxy (IAP) which is the building block for BeyondCorp.  The premise is that all users will connect to a proxy.  By using a proxy you eliminate east-west lateral movement and with an identity-aware you also eliminate north-south lateral movement / privilege escalation.

These advanced IAPs can not only proxy traffic but stitch TLS sessions together.  By taking this approach no inbound connection would ever need to be established.  Rather you decide who to connect to by specifying your secure trusted IAP.

IAP providers such as Akamai’s Enterprise Application Access and Centrify allow for a identity management integration and streamline SSO / MFA integration requirements.  This also offers long term flexibility as more enterprise organizations move to the cloud and mobile workforces.  This is also great for mid-size and smaller business that are adopting cloud only approaches.

IAP are not capital intensive as its usually a subscription service.  They however can take longer to deploy especially if organizations are using client side applications.