From craftily engineering social-phishing campaigns to infecting simple IoT devices, threat actors seek a single vulnerable point of entry to exploit an entire network of enterprise information treasures. Once an entry point is breached, lateral movement from device to device can spread in mere seconds. Ransomware, the bane of security teams, can infect thousands of end points, encrypting, erasing, and locking up the crucial components of business and government. That’s why granular network segmentation is the preferred method to prevent the lateral spread of threats. It is a critical line of defense that enterprises with sophisticated IT SecOps teams—tasked with guarding intellectual property, financial, and personal data—rely on to protect business-critical operations. 

If network segmentation is fundamental to protecting information assets from threats, why isn’t it used by default in all organizations? Note my reference to “enterprises with sophisticated IT teams”. Granular segmentation has been difficult to implement. Just finding and identifying all the devices on a network is a time-consuming and tedious effort—with more IoT devices being added every day, everywhere. Determining which devices communicate to applications and data resources on specific ports and protocols is another all-consuming project. After that, devices need to be grouped, policies for group access defined, and segmentation rules enforced. It’s not work for the impatient. Yet, every day that unidentified devices are communicating on an enterprise network increases the risk of breaches, data exposure, and ransomware infections.

Even with the appropriate IT talent and resources, segmentation is difficult to maintain manually as devices, resources, and people are increasingly mobile, moving from campus to branch to cloud. Even after endpoints are catalogued and segmentation policies defined, NetOps often lacks confidence to switch it on, fearing disruptions in connectivity that will light up the IT Help Desk. Automation for identifying, grouping, modeling, and enforcing segmentation policies is the key to securing networks of all sizes, providing the ability for even fairly small IT teams to support the endeavor.

Automating Network Segmentation for Security

To properly create policies for segmentation, IT needs to first understand which people, devices, data resources, and applications are communicating in order to model access permission policies, so that rules aren’t implemented that break existing communication. Sure, SecOps wants to ensure that threats are detected immediately and prevented from traveling laterally among devices, but NetOps needs to ensure uptime, availability, and quality of service. With automation and analytics, both goals are achievable.

Identifying Devices and Communication Paths, Ports, and Protocols

The enterprise network has traditionally been populated by thousands of similar devices such as personal computers, servers, and network components. Now, of course, the network is a heterogeneous mix of constantly moving PCs, smart phones, watches, and tablets connecting with data center applications, SaaS platforms, and cloud resources.

Then there’s IoT. While more complex and intelligent endpoints can have built-in virus scanners, patching capabilities, and be governed by a mobile device management infrastructure, the low-cost, fixed-form factor of IoT devices are typically incapable of defending themselves. Since practically every OT project and upgrade—thermostats, cameras, badge access, room occupancy sensors, medical equipment—introduces new connected devices, there is an urgent need to automate identification and apply access policies. IT needs an automated method of finding, identifying, and monitoring traffic from all types of connected devices.

Using passive network telemetry monitoring and deep packet inspection to scan the network and identify devices by type, manufacturer, communication protocols and ports, IT can finally catalogue all the devices on the network—wired and wireless, campus and remote on the WAN—and model the communications among them. With this understanding, IT can start to define a finer granularity for enforcing access permissions. If an inventory already exists in separate Configuration Management Databases, such as ServiceNow, or from Cisco Identity Services Engine (ISE) and Stealthwatch, those assets can be imported and assigned to appropriate groups. Then, as new devices come online, they are automatically identified, tagged, and added to the appropriate group.

Understanding device types is the foundation for creating logical groups of IoT access control policies. Adding the ability to map ports and protocols to devices, along with deep packet inspection to identify malware in traffic, provides an early warning system for threats. Devices that suddenly start using different ports or protocols to communicate can be automatically isolated. For example, a Behavior Anomaly Detection capability monitors devices identified as an “IP phone” and if their behavior changes—suddenly sending streams of traffic to a web server—to identify the anomaly and automatically block the device until IT can investigate the cause. Similarly, IT can tag all networked thermostats with a security group that only permits communications to a central HVAC controller, not to any other devices. Access permissions for IoT devices can be fine-tuned to permit monthly internet connections to the manufacturer for software updates, but to no other IP address. IT gains visibility and control over thousands of connected devices with automated monitoring and analytics.

Group to group traffic activity flows
Group to group traffic activity flows

Analytics for Group-Based Endpoint Policies

The ability to group endpoints by type and connectivity has multiple benefits. Instead of creating access list entries for each device of the same family—video cameras—all devices with that type are automatically added to a security group with a policy that controls the permitted connections on ports and protocols. New cameras are automatically identified by manufacturer and type and added to the appropriate group. When a change occurs, the group-based policy can be edited to adapt to new circumstances and applied everywhere to every device in the same group. For NetOps peace of mind, a change can be quickly rolled back should unforeseen results of a new policy interfere with network connections or performance.

By monitoring and modeling communications among groups of devices over time, segmentation policies can be set with higher confidence that normal traffic and connections won’t be disrupted, maintaining uptime and availability. Using historical knowledge of device behavior, anomalies can be quickly detected with machine learning to automate preventive measures. Should a particular device become infected with malware/ransomware, segmentation rules prevent communication with other device types, or with different protocols, automatically quarantining the infection.

Enforcing Group-Based Segmentation Policies

Once devices and people have been assigned to groups and access control policies applied, applications and data sources can be added to ensure that only authorized users on trusted devices—even for specific locations—get access to regulated applications. For example, compliance-critical apps that organizations need to protect, such as medical records in healthcare or PCI in retail organizations, can be segmented with group-based policies that only allow access by authorized people, from trusted devices and locations.

Common policy groups automatically follow people and devices as they move from campus to branch to teleworker; and applications and data resources from data center to cloud. Common policy groups can apply to devices and people in the campus and branch networks based on existing access policies established by security applications such as Cisco ISE and data center/cloud applications managed by Cisco ACI DC/Cloud.

Sharing group information across the enterprise
Sharing group information across the enterprise

Cisco DNA Center with AI Endpoint Analytics, Group-Based Policy Control

Segmentation has always been a cornerstone of network security but has been difficult to implement and maintain. As networks adopt software-defined architectures, it becomes easier to apply segmentation rules and policies that follow people, devices, and applications as they move physically or virtually. Cisco DNA Center 2.11 provides two new applications for managing enterprise-wide segmentation:

  • AI Endpoint Analytics
  • Group-Based Policy with Analytics and Access Control
Two new applications in Cisco DNA Center power group segmentation discovery and policy enforcement.
Two new applications in Cisco DNA Center power endpoint discovery and group-based policy enforcement.

With these new additions to Cisco DNA Center, even organizations with constrained IT resources can discover and enforce segmentation throughout their networked resources, across WANs and data centers to cloud platforms. Access to applications can be constrained to selected people, devices, and locations as policies follow named groups throughout the network.

These benefits accrue from a Software-Defined Architecture and controller-based networking. The network fabric becomes a first line of defense against threats using endpoint discovery and group-based policy controls to manage segmentation across the enterprise. Applications and data are easier to secure against unauthorized access. Finally, segmentation is an automated and manageable solution for network security and control.

For more details on automating segmentation policies in Cisco DNA Center:


Ravi Chandrasekaran

Senior Vice President

Enterprise Networking