Patrolling the Micro-Perimeter to Enhance Network Security

The historical focus on network security has been at the external perimeter—the outside access points to the enterprise network that are directly exposed to incoming threats that largely originate in Internet traffic.

However, now, with the growth of distributed micro-networks in offices and factories, there is a new case for additional internal security measures at the micro-network edges that exist within the enterprise's global network infrastructure.

In this world of networks within networks, how do you prevent a threat, or even unauthorized user access, from penetrating a specific micro-network that exists within your end-to-end network infrastructure?

To deal with this, companies have been adopting two primary network edge security technologies for micro-networks. They are zero-trust networks and routers and access points with built-in security.

Network Security and Zero-Trust Networks

In late 2023, a Cisco survey revealed that 86% of organizations were moving to zero-trust networks.

Why? Zero-trust is a methodology that, if fully implemented, requires organizations to implement security at seven different "pillar" points:

To achieve a full zero-trust implementation, multiple IT groups, including the network group, must get involved.

As companies move into industrial automation, remote retail sites, remote engineering, etc., the systems and applications used by each company group may need to be sequestered from corporate-wide employee access so that only those users authorized to use a specific system or application can gain access.

From a network perspective, segments of the network, which become internal network micro security peripheries, surround these restricted access systems and applications, so they are only available for the users and user devices that are authorized to use them. Multi-factor security protocols are used to strengthen user signons, and network monitoring and observability software polices all activity at each network micro-periphery.

The mission of a zero-trust network is to "trust no one," not even company employees, with unlimited access to all network segments, systems, and applications. This is in contrast to older security schemes that limited security checks and monitoring to the external periphery of the entire enterprise network but that didn't apply security protocols to micro-segments within that network. The need to restrict network access to systems and applications for certain user groups is one of the drivers for zero-trust network adoption.

Improving Network Security With Hardened Routers and Access Points

A primary security concern for edge network deployments 12 to 18 months ago was unsecured and vulnerable access points in the form of IoT sensors and devices that either had no security at all or arrived at the door with security set at low default levels. Sites responded to this by vetting and, if need be, hand-setting each incoming device—and vendors responded by hardening devices.

The result today is a new generation of edge devices that minimally come with built-in security that prevents DNS attacks and blocks risky Websites. These devices have the ability to route encrypted data to a VPN secure server, and in some cases, the routers and access points themselves act as pre-configured VPNs, encrypting traffic as it moves through the devices. Routers and access points are kept current with automatic firmware updates that maintain them at the highest WPA2/3 security levels.

Adjusting Your Network Security Plan for Edge Deployments

Zero-trust networks and secure edge access points and routers can't come at a better time, given the fact that so many companies are segmenting their networks and installing micro security perimeters within their enterprise-wide outer security perimeter. However, deriving the optimum amount of security, functionality, and efficiency from these technologies is another matter—and it will require revisions to network strategies and plans.

What Are the Challenges?

With zero-trust networks, the challenge principally lies with the fact that the networks are zero-trust (i.e. “trust no one”). Users who had more flexible system access in the past, or even high-level executives who expect to have access to any application or system in any corner of the enterprise, can push back against the new access limits of zero-trust that may exclude them from accessing certain IT assets and systems.

The bottom line for the network group, or for IT in general, is that you can't make user access decisions based on what you think might be the best set of internal security protocols and controls for various network segments without gaining consensus from users first. Users must also understand the principles of zero trust and that a primary source of security breaches can be employee behaviors and usage habits.

Increased Complexity

There is also additional technical complexity with the newly hardened edge security devices that may require network staffs to change their modes of operation.

Many of these devices come in the door with their own security monitoring, prevention, etc., so there is a functional overlap between the different devices and access points, as well as between these assets and the master firewall for the network that is already operating. Which security monitoring and prevention method will you choose?

A natural decision is to stay with the master functionality for each feature that is resident on your firewall, but what if a particular router or access point has a feature that is functionally superior to what you run on your firewall? There are cases where network staffs are mixing and matching security and monitoring functions in order to get the best capabilities possible, but as soon as you spread tasks and functions over multiple technologies, you have a more complex technical landscape to manage.

A Final Word on Network Security and the Micro-Perimeter

Mini-networks, or enterprise networks with zero-trust gateways and security on mini-network segments, are increasingly characterizing network architecture as companies move to edge computing. This forces network staffs to replan methodologies and architectures for a more distributed network deployment.

As this happens, network vendors and prognostics continue to call for a single network "uber architecture" and toolset that can manage all network facets, but at least in the shorter term, there are sites that choose to look for the best features and functionality wherever they can find them. If this requires mixing and matching different technologies provided by different tools, they'll do it for a secure edge. At the same time, they know that they're making network management more complex with the multiplicity of tools and methods they're using. This more diversified network management approach must be baked into network planning and execution.

Sikhuluwe Khashane, a cybersecurity practitioner, described it well when he said, "The key is to start with a carefully designed strategy and move incrementally along the journey." That is the place we are now, which is why careful network planning and execution are so important.