Microsegmentation via NAC-driven Zero Trust Network Access (ZTNA)

According to Gartner, 60% of all enterprises will use the Zero Trust Security Model by 2023. At the same time, Gartner indicates that security and risk management leaders should move beyond the simple hype of zero trust and focus on the substantive task of implementing two key projects: Zero Trust Network Access (ZTNA), and Identity-based segmentation, also known as micro- or zero trust segmentation. Without a doubt, segmenting one’s network is the most critical step cybersecurity professionals can take to limit the ability of attackers to move laterally in a network in the event they have gained access. However, the traditional castle-and-moat approach such as is typically deployed via VLAN steering, internal firewalls, and Access Control Lists (ACLs) is not sufficient to secure evolving, heterogeneous network environments. How then can we effectively segment our networks in as granular a fashion as possible?

This is not “one or the other.” You should leverage all!

Even though people are talking about Zero Trust, many are still primarily using the traditional approaches mentioned above due to maintenance and budgetary issues, as well as thanks to simple inertia. Still, we should be able to enhance these legacy approaches with the goal of segmenting networks more logically and dynamically by leveraging Genians’ Node grouping feature. For that, Genians offers 3 practical methods. Again, you don’t have to choose just one; rather, it often makes sense to combine approaches and deploy a mixed solution that supports your network architecture optimally – allowing maximally secure, just-in-time, just-enough access to your enterprise IT resources.

Sensor-based Microsegmentation

When it comes to segmentation, Genians’ network sensor is able to illuminate entire networks, including wired, wireless, virtual, and Cloud by capturing various attributes of all connecting devices. These attributes include device fingerprinting data, business context information such as End of Life (EoL), End of Support (EoS), and risk-related data such as Common Vulnerability Exposure (CVE) along with industry-relevant news. Moreover, such attributes can be tagged according to generic device categories and correlated to more accurately identify any connected devices platform information. Attributes are therefore the key elements neededto precisely identify what it is, who is using it, where they are coming from and to, and how they are being securely connected.

Most importantly,this comprehensive approach helps segment networks logically and with as much granularity as possible since Genians provides over 500 conditions along with specific attributes. Once you deploy this segmented network, you can achieve better policy enforcement against any non-compliant, unknown, or rogue devices using ARP security and other approaches like 802.1x, Switch Port control, SSID, and Agent-based actions. For 16 years now, Genians has provided layer 2 / sensor-based Network Access Control (NAC) solutions. As these do not require any network configuration changes or upgrades whenever the network environment is changed, many customers have chosen this option as their primary method for network visibility and policy enforcement.

  • Pros: Fast deployment, no downtime, no disruption. Solution covers all campus network, various types of remote sites, and secures all traffic; north-south and east-west, as well as public and private Cloud.
  • Cons: Each network segment requires a network sensor.

Gateway-based Microsegmentation

For Gateway-based microsegmentation, Genians simply expands the concept of its network sensor from the network layer (L3) to the application layer (L7) in order to secure all access no matter its source. Genians therebysecures access to remote sites as well as applications in distributed environments. In the same network, one has the option to isolate a node trying to communicate with any other nodes, so all traffic can be confidently secured.

  • Pros: A single point control by monitoring all traffic.
  • Cons: High Availablity (HA) is required to avoid a single point of failure for network traffic.

Agent (Host)-based Microsegmentation

In this case, Genians’ Agent can collect all installed software and hardware asset information from endpoint devices toenrich the attributes of connected devices. The agent can also control native firewall capabilities to support centrally managed firewall-based polices. This approach further supports ZTNA Anywhere and enhanced VPN capabilities.

  • Pros: It will automatically establish the most secure connection by leveraging the concept of Always-on ZTNA. Without the agent, devices are not able to gain network access.
  • Cons: Major endpoint devices like Windows, macOS, and Linux require an agent to be installed. IoT devices cannot be supported.

Summary

Altogether, these 3 methods support software-defined microsegmentation in order to increase the level of accuracy of identification and to segment all connected devices dynamically at a granular level without causing network disruption. Most importantly, you can leverage all 3 options for maximum effectiveness in specific use-cases; for example, you can choose the sensor-based option for campus networks while employeing the Gateway-based solutionfor remotes sites and Agent-based for remote users. Taken together you can effectively orchestrate all options to maintain the highest level of security compliance for your evolving networks.
Solve IT
Team Genians

Securing Layers 2 and 3 to Stop Lurking Cyber Threats

Firewalls leave your network vulnerable! Hidden threats lurk in Layers 2 & 3, compromising data flow. Genians NAC offers a multi-layered defense, securing these foundational layers to stop ARP spoofing, rogue devices, and more. No Disruptions, No Downtime. Just fortify your network & embrace Zero Trust!

Read More »

Why NAC? Why Genians?

Play Video
Scroll to Top

We use cookies to help improve this website and enhance your browsing experience You can change your cookie settings at any time. • Privacy • Terms