Segmenting in 60 Minutes

As we discussed in a previous blog, segmentation supports defense in depth strategies by helping to prevent a breach and also preventing it from spreading. A segmented network is broken into logically or physically separated sections where equipment that needs to communicate can, but other traffic is prohibited. While it may seem daunting, we’re here to tell you that it can be quite easy! Did you know that if you have Cisco Catalyst 9300 switches (or any other switch with OpenFlow capability) at the distribution or core layer of your OT network, you can get basic network segmentation in only an hour of work?  

Here’s how!

What you need: a Cisco Catalyst 9300 (or any switch with OpenFlow capability) and the Veracity OT Network Controller

3 easy steps:

  1. Activate your switch to OpenFlow mode
  2. Connect the switch to the Veracity OT Network Controller and put the controller into learning mode for 30 minutes.
  3. Audit your new ruleset by putting the Veracity OT Network Controller back into operational mode. (Pro tip: turn on “system generated drop rules” on the Veracity Controller to reduce the amount of noise from new communications coming online until you can approve them.)

Results: Congratulations, you have segmented all traffic that passes through your switch!

This may sound too good to be true, so we’ll give a little more detail to help explain. The Veracity OT Network controller manages all network communication on a source-to-destination basis including what protocol is being used for that message. This means that every communication that passes through the switch is now controlled. The learning mode used in the three steps listed above will watch all communication passing through the switch and create “allow” rules for it. This mode quickly gets the network up and running passing normal traffic. The third step is highly recommended but not required because all networks have communications traffic that is undesired. This may be unwanted pinging, multicast traffic, or even ring beacons that are not contained taking up precious bandwidth. You can create “block” rules for this traffic and improve the throughput of your network.

It is uncommon for network users to have the ability to migrate an entire existing network at the same time. By starting with the distribution or core layer switch on the OT network, all traffic flowing through that switch will be managed by the Veracity Controller and this essentially will segment the network. Once you have the topmost level of your OT network segmented, you can begin to evaluate other areas and prioritize updates in phases.  Start by asking yourself, are there critical assets that require micro- segmentation to harden that part of the network? Are there parts of the network that are problematic because of VLAN issues, loopbacks that have occurred, or 3rd party access that needs to be contained? Once you identify the next phase, you can replace or upgrade the switches to those with OpenFlow support and repeat the 3 steps above. Segmenting and micro-segmenting your OT network has never been simpler.

Want to learn more? Contact us for a demo. 

Share

You Might Also Like...

DISTRIBUTECH International 2024

DISTRIBUTECH International, held February 26-29 in Orlando, Florida, is a premier annual event for transmission and distribution. This year’s event promises to showcase the latest in

Read More
IT Support by SADOSSecure, Fast Hosting for WordPress

Subscribe to Our
Newsletter

Subscribe now to receive expert insights, latest cybersecurity news, and practical tips to protect your business from evolving threats.