Let's Segment a Network - Joshua Seirer

well I was gonna talk about myself some more but I really like the theme of this uh conference so far about the burnout and just understanding like what it means to do our job so instead of talking about my experience of that I'll share like my own personal experience and dealing with stress and stuff like that so yeah like uh my favorite thing to do to clear my head as soon as I leave the office is I hop on my Harley and I Buzz the longest way around to get to my house clear my head out and then you know I do like going to the gym uh to me I in our job we think a lot so I

also need to challenge my body so I I do as much gym as I can and uh yeah and I like to spar you know go go punch people you know that that helps you can't punch them at work go punch him in the gym so I I highly encourage to find in those activities and yeah pistol shooting blow some [ __ ] up like awesome like just go shoot some exploding targets and then now recently I'm a new dad uh I have a 5 mon year old son and when I get home I look forward to reading the Lord of the Rings too I just cleans my head out so with that uh we'll move into some Network

segmentation um so I've sat in many conferences like this I've you know gone to workshops boot camps whatever and they always tell you man you got to you got to segment those networks you got to protect it you got to minimize your blast radius you got to do all these things it's really good and is it's important but I'm always sitting where you're at I'm like all right how how do I do it like so um there's uh so many uh different things that you hear when you're listening to them so you may hear like a network engineer or a cyber security engineer the network engineer is always like yeah man when you build networks you want to make them as

efficient as possible you want to make them available you want to monitor you want to do all that it's all very important stuff but you don't hear them talk about cyber security yeah they don't talk about how you do that securely at least not often so do this isn't a general statement just some of my own experiences so then you you go to the the next session you see a cyber person they're talking like hey man you got to you got to use multiactor you got to use data encryption you got to put in firewalls you got to do all these things to protect your network it's great they're not keeping in mind invol in

performance part that the network guy seems to care about so you got bring it together you know it's all important to network segmentation and I think some of the disconnect uh is uh related at the educational level and the reason why I say that is I've I've gone through probably like a lot of you have I've taken different certifications I've taken a lot of classes I've read a lot of books there's a lot of definitions for what network segmentation is but the the three most common starting with the top one is typically the network definition the network person definition of network segmentation and that's breaking up broadcast domains it's great but that's not all it um you know

then you read another book it's maybe it's a more security related book and it's saying hey you got to limit traffic between those broadcast domains or those segments it's great but it's not the whole picture and finally I found a definition where it did both I was like this is the one I like but the problem is from at least in my world in my experience it took me a higher level of training myself before I finally found this definition this comes out of the cissp book you know for me that's not where I'm starting when I'm in college I'm not starting that level if you are fantastic not me I worked my way up the

chain so for the remainder of this Pres mentation when we when I'm talking about Network segmentation I'm going to level set and I'm going to say it's about breaking up broadcast domains and it's also about controlling that traffic between networks so again how do we do it as Fred indicated business needs are very very important it doesn't matter if you have all the technical skills the technology to do it if you don't understand what important to the business it's hard to know what needs to be protected right so starting with uh data classification is very important you need to sit down and understand what are the things that the business relies on sit down with your

data center teams sit down with your managers your stakeholders hey if this is compromised this is exploded what's that do to the company so it's it's very important to understand that and and understand like to live within your means as a company and and again like a lot of what's been talked about is getting your decision makers to understand those things but most of the time Money Talks so if you're cognizant of the money when you're talking to them chances are if you're have a any level of decent networking year there's a lot you can do with what's already there it doesn't have to be complicated so living with you in your means and sometimes it is a lack of personal

skills um maybe you're a small it Department maybe you only are a networking person maybe you don't know Roma cyber security so maybe that means you got to get more Personnel in or get more training to help better understand what the goals are and how to achieve them and all that kind of leads to time so if you're you know you're a very capable Smart IT person but you don't have all the skills NE NE to segment things off well that's a lot more time you got to spend researching and learning and getting you'll get there but it's just a lot harder so at the end of the day understand those needs understand what you what it is that

you're trying to protect and work with your upper management to build that into the budget uh into the road mapap So eventually it doesn't have to all happen in one day I've been doing a network segmentation project at my company going on for years you know it's an it's an always going project right so just try to get it in that business plan get it on the road map so now we kind of understand like okay we know what our needs are you know we need to segment this stuff again how how are we doing it so to me it starts with your philosophies it's like if if there's coders in here we all know when

you code there's different Styles right networking is the same way My Philosophy not saying it's the right one it's just how my brain thinks in my head I'm like if an airgap network is the most segmentation I could ever possibly put into something how close can I get to doing that with technology right so beans that's why beans are made break up we can't afford to put a switch for every Network so we invented lands well that's not enough from a Secor standpoint bands unless you don't have any routing between them are insecure they they they'll route they're you know they're directly connected they'll go to each other um and then you still have potential for

bamp hopping which is a very lowrisk thing because it requires you to have direct connections and stuff like that but there are things to just keep in mind so on top of okay how close can I get air gap zero trust architecture that's something that is a very big very wide and very deep topic and I'm only really going to cover one piece of it which is related to network segmentation but uh from a Aisa document I just wanted to share what the definition is I'm not going to read all that to you but I'm just going to say zero trust and the point of it is you don't need access you don't get access

and you're all legal okay okay so you don't let things have access that don't need it the zero trust architecture in a nutshell is your plan how you do it so out of that system maturity document they break it down into five pillars so as you can see networks networking or network segmentation is one pillar so there's so much and I want to just talk about this model because you can actually probably have multiple sessions on zero trust and all these different levels of zero trust and to me it's like shooting to the Moon of impossibility to ever achieve it but the goal is is just to to be better right and by the definition of what this

document that I got this out of is everything is completely automated so what I'm going to talk about from my standpoint the basics it's not automated so like for example if I say only this computer can talk to this thing on this port that's you know zero trust I've only given it minimum access right but that access is always open and a fully mature model that would just close down and only open up when it's needed close back down open back up and that goes from user permissions devices your data access and all that again I'm just going to focus on uh networking Loops Network segmentation and again it all boils down to understanding what those critical

systems are what that data is again you got to know what it is you're trying to protect and that was something that took me a hard time to really get my head wrapped around okay I know how to segment that works but I don't know what to put in them so uh and then always keep in mind that zero trust that implicit Deni it is so much easier to shut the water off block it and start poking holes than it is to leave it running and trying to shove napkins in the hose or whatever it is you're trying to do to block stuff you can't always do it that way in a perfect world but keep it in your mind

that that's how you want to roll build it into your plan um so when you're looking at this model again what I'm going to talk about gets to about I'm pointing over there because I see the slideshow behind me uh so when you see the traditional to initial level that's kind of where I'm talking which is the bottom two tiers the advanced is that fully automated stuff so you could look at that document it's an interesting read seems impossible I'd like to talk to the guy who's achieved all of this and buy them a couple beers um so getting more into the fun part of this now I'm done talking about the the business and the

philosophy one of the key components to network segmentation is your IP subit design and I think this is something that has strongly forgotten about a lot a lot of people don't think about it my biggest pet peeve as a network engineer is Big boundaries and people not following them they're there for a reason folks they make your life easier if you follow them and it's something you're taught very early in networking and the advantages of having good subnets and good subnet masks is when I'm creating ACLS to filter traffic or security policies in a firewall if I'm following bit boundaries I don't have to think about it I can be like slash 16 that permits everything I need it to do

if you're overlapping bit boundaries and I think I blame marketing salese for the home equipment industry because we all know every router that he ever buy starts with a DHCP scope starting at 100 and going to 200 is completely overlapping so many bit boundaries it's insane but if you clean that up when you're writing your wild card masks or subnet masks it just simplifies it so much especially if you're dealing with a lot of acl's because mistakes will be made when you're overlapped because you're like well in order for me to permit this I got also to allow this thing or I got to move it something like that so it just takes a lot of the worry

and the thinking out of it so here's an example of how I structure my subnets this is my world up here you do it however you want to this is just how I'm suggesting it I'm try to use this laser pointer a little more so up here I just broke this out into the four the four octets the first octet it's whatever just 10 192 172 whatever you want it to be I always like to use the second octet as my VLAN ID all right and in my third octet that's I always figure it always ends up to geographical location with me based on my job so it's like a site ID or a location ID and then

uh so over here we're talking about aret 2 I got my user group be ID 16 the they teach you in school well you make it easy on yourself if it's 16 you're Bean ID 16 right sometimes it doesn't always work out and sometimes My Philosophy is if I got these oneoff things like iot or guest that I want to make sure that I'm always cognizant of I make them some obscure number just so when I see it it clicks a lot faster right again I don't like to think I want to be able to see it and I just want to move right cuz we're all in a hurry we all got [ __ ] to do and same over here

with the site location that just identifies my office so when I'm building a subnet I can say 10664 that's the user Bean at the HQ office 10696 that's the user VLAN at the remote office down the road so now when I'm riding my security policies or my ACLS and got to build that wild cart mask and I say I need to filter all users I don't want them going this way sl16 bam it's done now are you covering a lot more subs than you're not using yes but again it's easier and it's not perfect not saying it is it just makes it easy but if I want to separate HR because you know they deal with a lot

more sensitive data well I can lock them down um by 24 so I can still say 10.16 they're user their HR they're 24 no 10.16 24 Network can go out and that locks them down a little bit and I've shown some examples here I'm not going to talk about too much but like I I I have a heavily routed Network so I have a lot of point-to-point networks and this is how I build them out you know I just have three to four Ving IDs that I repurpose uh for my Dynamic routing and whatnot so moving forward that was a little bit of The Logical let's talk about the physical design excuse me so as I said earlier I

want to get as close to air gapped as possible so this is air gapped how can I get there okay we've all seen this diagram router on a stick so on the left yeah without routing you got your switch your flat switch and you got three networks there there's no routing they are segmented there's nothing there's no way they can communicate so in that case that I mean if you can live your world like that that's perfect you're not going to be able to Chances Are you got users that need to hit some server uh probably guests will never touch your users or your server so you completely block them off they never need to be routed except

to the internet but when you put it with routing you'll have to use some acl's um so I want to expand on that a little bit further so I got two examples that that I've used a lot so that's a layer 3 switch if you're not familiar right there um with uh switch virtual interfaces right so at this level I'll use ACLS to control my traffic I know I'm not going to make too many changes to guess I'm just going to block it let it only go out to the internet and takes care of them servers are little going to be a little more pain in the butt with acl's CU what acl's are stateless right so that means whenever I

allow out I have to build something on the other side to allow it back in uh to respond but then I have routing up here to my switch and I always prefer routing over layer 2 extensions because that gives you more traffic control and traffic monitoring so when you can do Layer Three Links between stuff don't extend out you're just asking to extend your threat landscape by too much I'm a networking guy first cyber security guy second sometimes so I like to design things like that with firewalls you you know you whoops wrong uh you got the DMZ up there typically that's controlled by like your security policies you want to keep that removed now one point you know say I like to use

firewalls versus ACLS which I do you could say move these networks up here and use security policies it's a lot easier to manage but you are sitting on an edge fire wall which feels ippy to me so you might put something like another firewall here instead and control it with um security policies on the firewall which are stap so you make make it and you move on you don't have to like account for both directions of traffic you may not be able to read everything that's on here this just more of a representation of what I do so in my world I have a lot of layer three switches geographically spread out different networks you it's not feasible to put a

firewall at every single one of those locations it's just not so how do I force traffic back to a firewall back at my headquarters right I build virtual routing into every single one of these overlay it uh with another OSF Dynamic routing instance or whatever and I forc it to go uh through this firewall back out to the global routing table I only do and it's kind of bring this whole thing full circle I going to go through the effort of brf routing for networks that I know are the important ones I don't care about Guest Network that be the wild west so I'm just going to block it using ACLS everywhere because I know

once I do that I don't have to mess with it again whereas my server networks and my user networks are constantly changing permissions you get a new application you get another server you get something new you got to to update those ACLS as a nightmare so it is actually in my mind a lot easier to build virtual routing force it all to one firewall hopefully I never have to touch some virtual routing ever again and then now all I have to do is create my uh firewall policies so in this diagram here I just have some redundancy built in just to kind of show some examples I'm not going to get too far into that um so these are my credits and my

resources I work I try to work in facts I try to back up what I say um so I'm not inventing anything new I'm just trying to figure out how to make it all work together to my advantage and I know I blew through that really fast because I could keep going but anybody got questions I think I have like time for one got a minute or two can you okay I'm willing to talk about any of it perfect oh sorry sir your virtual is it open source why what so I'm a Sisco [Laughter] [ __ ] so that's all Cisco so I'm using V on Cisco I mean dude I've been working on Cisco since I first started doing n

working I can do something else but like the company's going to keep paying I'm going keep us so yes sir well I was just going to add to that like um a lot of the stuff you do I operates in the network layer so you know lot that stuff in front PGA so sun it's clunky to do with open source software until we have more Open Source Hardware networking designs like what Facebook's doing the open is it open compute initiative is that what it's called open I'm not familiar so what's your question that was I just I just want oh well like this is I always like to say this is what I did in the time and the knowledge that I

had in that moment right so I always look back on this I'm actually doing a project for my masters to say hey was this the best freaking solution could or could I have done it differently yeah for a lot of people I think Cisco is the best solution still unfortunately uh we don't need to talk about that this isn't the place for that but the call to action for best device I give people the best equipment that you have is the stuff that you're willing to work on so if you're putting in crap that is too challenging for you to use you're doing yourself a disservice so work with what you can do and again maybe you can't

afford this and you're a small Network ACLS are perfectly fine and most layer three switches have ACL gate ability they're paying when you get bigger but you if you know you you know you start like I said you plan that road map work with your bosses and get there this is just how I approached it because like for me it's like well I know how to do brfs I know how to do this there isn't a document out there that I could find and said hey you need to segment your network here you can do this you can put some stuff here I was like so I just kind of started throwing it I uh I talk to Eric

in Dallas all the time Jason sitting right over there and it's like you know we just come up with different ways um so one of the other best pieces of device I got the best network is your people Network so I come to these things and I talk to people so when I need an idea I just call them be like hey get me a ride at that conference the W back so I need some help with firewall whatever you know any anybody else got a question yes sir when you're moving to an a fabric of this nature where your network complexity can go through the roof very quickly how do you balance the segmentation management versus for

security purposes versus with your engineering team where they may say this is too complex for us to maintain over a long period of time or something goes wrong they no and that's yeah I think about that a lot so again I always challenged myself I don't believe in set it and forget it you'll lose in this world if you believe that that so I always look are we over complicating this because again if it's too complicated then you're doing yourself a disservice I don't feel like we're there yet you know there's three networking guys there's three data center guys I'm now the it administrator or the Security administrator now so I've kind of moved but I feel like we've always hired good

people people that are willing to challenge themselves and research they pick this stuff up quick you know like it's if you yeah I think it just comes down like I said before skills you know when you're hiring and uh someone asked the question what are you going to do to get management to buy in some that stuff you just got out and last them until they retire that's how I do it like you're gone great I'm going to take this out now so it's it's a don't anticipate doing this stuff in one year plan out peace Mill it I always say the best plan is the one you're still working on not the one you're not so

just out will get there I should probably stop