The Case for Network Segmentation
Network segmentation is used to reduce congestion, contain network problems locally, and improve security. Combined with firewalls, it protects sensitive data from unauthorized access, and with filters, prevents users from accessing prohibited or harmful content. There are several laws and standards that require one or more of the above, such as Payment Card Industry (PCI) compliance, the Children’s Internet Protection Act (CIPA), the Sarbanes-Oxley (SOX) Act, Public Key Infrastructure (PKI) standards, and the Health Insurance Portability and Accountability Act (HIPAA).
Putting in place the right network configuration and hardware equipment is only the first step towards meeting security standards and regulations. However, maintenance and configuration changes are the long haul costs. In addition, most enterprises undergo third-party audits to catch issues that may compromise security and compliance.
The straightforward way to verify that your network configuration, firewall rules, and filters are in place is to check if all configurations are correct. Though I am pretty sure that nobody goes to sleep after a configuration change without connecting to the guest wireless and making sure they cannot access the company’s datacenter, or without trying to access playboy.com (in case they need to be CIPA compliant).
The remaining question is: how do you detect when something breaks and suddenly your datacenter is accessible from your guest wireless or elementary school students can access prohibited Internet content? Well, the answer is pretty simple: have somebody to check every few seconds or minutes if everything is in place, and if not, notify the appropriate person to repair the issue.
Testing Network Segmentation and Content Filtering
This is where synthetic network monitoring comes into play! An agent can run a test periodically and verify that the appropriate configurations, rules, and filters prevent it from accessing unauthorized content. If this is not the case, the agent can alert that there is a security vulnerability or compliance violations.
Here are some use cases:
- Content filtering: wireless agent connected to an elementary school network runs an HTTP test to adult websites. If the test is successful then the schools is not CIPA compliant.
- PCI compliance: hardware agent in the same subnet with a Point of Sales (PoS) system runs a ping test to google.com. If the test is successful, then the PoS is open to the Internet.
- HIPAA compliance: virtual agent installed in the same subnet with the personal record information ERP server tries to access the Internet. If the test succeeds then the HIPAA compliance is not met.
Synthetic network and application monitoring tools are mostly focused on measuring end-to-end performance from the user perspective. Since the agents act as another user in the network, they can be used to monitor security and regulatory compliance.
NetBeez is an end-user network monitoring tool that provides hardware, wireless, and virtual agents that can cover all environments that need monitoring for security and compliance. Among others, the agents run ping, traceroute, and HTTP tests, and all the data is collected on a central server which can be configured to send alerts when tests fail or succeed.