KEMBAR78
Microsegmentation 2 | PDF | Computer Network | Computer Security
0% found this document useful (0 votes)
38 views11 pages

Microsegmentation 2

The article discusses the importance of network segmentation and micro-segmentation techniques in enhancing network security against cyber threats. It presents an improved environment using NSX-T VMware, which integrates Sky API and policy enforcer to optimize performance and security in large multi-hypervisor and cloud environments. The findings indicate that this enhanced scenario outperforms conventional methods in terms of security, workload mobility, and flexibility while reducing time, cost, and complexity.

Uploaded by

makolachi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
38 views11 pages

Microsegmentation 2

The article discusses the importance of network segmentation and micro-segmentation techniques in enhancing network security against cyber threats. It presents an improved environment using NSX-T VMware, which integrates Sky API and policy enforcer to optimize performance and security in large multi-hypervisor and cloud environments. The findings indicate that this enhanced scenario outperforms conventional methods in terms of security, workload mobility, and flexibility while reducing time, cost, and complexity.

Uploaded by

makolachi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/382335849

Build a Secure Network Using Segmentation and Micro-segmentation


Techniques

Article in International Journal of Computing and Digital Systems · July 2024


DOI: 10.12785/ijcds/1601111

CITATIONS READS
9 1,178

2 authors, including:

Rafat Alshorman
Yarmouk University
24 PUBLICATIONS 91 CITATIONS

SEE PROFILE

All content following this page was uploaded by Rafat Alshorman on 18 July 2024.

The user has requested enhancement of the downloaded file.


International Journal of Computing and Digital Systems
ISSN (2210-142X)
Int. J. Com. Dig. Sys. 16, No.1 (Sep-24)
http://dx.doi.org/10.12785/ijcds/1601111

Build a Secure Network Using Segmentation and


Micro-segmentation Techniques
Hussein A. Al-Ofeishat1 and Rafat Alshorman2
1
Department of Computer Engineering , Al-Balqa Applied University, Salt, Jordan
2
Department of Computer Science,Yarmouk University, Irbid, Jordan

Received 21 Sep. 2023, Revised 26 Jun. 2024 , Accepted 28 Jun. 2024 , Published 26 Sep. 2024

Abstract:Due to the increasing number of threats and attacks that have threatened the network in recent years, novel methods and
techniques have been improved to secure the infrastructure of the network and the data transmitted within it. Micro-segmentation and
segmentation techniques are popularly used over computer networks to reduce defensive versus cyberattack. These techniques aim to
minimise the damage obtained from attackers by segmenting the network into many clusters or sections and limiting the communications
among them. Thus, each cluster or segment within the network becomes isolated from the others, which increases the security of
highly sensitive data networks and prevent unauthorised people and attackers from accessing these sensitive data. In this paper, an
enhanced environment has been suggested using NSX-T VMware to overcome the limitations of conventional micro-segmentation and
segmentation environments. the suggested environment NSX-T with Sky ATP and policy enforcer to enhance the performance and
security of the network. The suggested environment is presented to deal with large environments that involve multi-hypervisors and
multiple clouds. The performance of this environment has been combined with the other two scenarios. The results of the comparison
proved that the performance of this suggested scenario is better than those of the other two scenarios. In addition, the results illustrated
that security, workload mobility, and flexibility are higher within this scenario, whereas consumed time, cost, and complexity are lower
than those in other scenarios.

Keywords: Micro-segmentation, Segmentation, cyberattack, Clusters, Security, Attackers, NSX-T, Sky API, policy enforcer

1. INTRODUCTION and hardware tools to prevent nefarious actions obtained


Historically, the security of the network is considered from malicious entities, Many recent enterprises construct
a complex subject that only experienced and well-trained their defenses based on the fortress approach. The defense
experts can treat. Nevertheless, more people have recently tools of the network are used to defend this approach,
become interested in understanding the fundamentals of where a strong boundary between the trusted inner side
security within the networked world [1] and [2]. The design and the untrusted outer side is constructed by these tools.
of most conventional networks has been concentrated only Network segmentation uses the concept of the fortress to
on the outer perimeter security. Thus, the segmentation construct a layered model of the fortress, presenting smaller
of networks within recent networks has become a critical fortresses with specific protections and boundaries within
method to enhance the management of the network, cyber each fortress. Thus,more defense layers will be provided
security, and inner perimeter security. Network violation by this model, which will reduce the damage throughout
becomes very difficult by network segmentation, which also intrusions and exploits as well as restrict the mobility of
retards attackers. In addition, the isolation of applications the threat [4], [5] and [6].
and sensitive data from curious users and industrial spying
through network segmentation represents a restriction for Conversely, recent organizations are largely based on
insiders [3]. their own systems of information, where large numbers
of investments are made annually. In recent years, these
Further, the defence of computer network is known by systems have been computerised, while networking has
the actions that are obtained by the network use to respond become the most popular trend. Further, computer resources
to, detect, analyse, monitor and protect unauthorised activity and information available in an organisation and among
in the network and enterprise systems of information. Fur- collaborative organizations are often sensitive to services
ther, the defence of network uses an inclusive set of software and goods production. The availability, integrity, and con-

E-mail address: ofeishat@bau.edu.jo, r.alshorman@yu.edu.jo https:// journal.uob.edu.bh/


1500 H.Al-Ofeishat , et al.: Build a Secure Network using Segmentation and Micro-segmentation Techniques.

fidentiality attributes are conventionally used to define the the system are not completely incorporated. Thus, future
security of a computer. Availability means the avoiding of versions should completely incorporate the components of
unauthorised resources or information withholding, while the system. Furthermore, [9] plan to explore techniques
integrity means the avoiding of unauthorised information based on population like grammatical evolution, particle
alternation. Furthermore, confidentiality means the avoiding swarm, and genetic algorithms to enhance the behaviour
of unauthorised information disclosure [7]. of systems based on effective candidate structures. Archi-
tectures of network segmentation have been suggested by
Network security is a complicated subject, historically [10] as use case forms that are appropriate for information
only tackled by well-trained and experienced experts. How- loss and security. The suggested system combined between
ever, as more and more people become “wired”, an increas- simulation modelling and computational intelligence to es-
ing number of people need to understand basics of security timate and construct the architectures as well as acclimate
in a networked world. to the variation in threat to. The outcomes of the study show
that the suggested system can acclimate to the variation in
Two scenarios for the implementation of micro- threat levels and segment architectures at acceptable risk
segmentation and segmentation within networks have been threshold within a certain threat environment. Furthermore,
studied. An enhanced scenario has been suggested to over- recent work has addressed the requirement of systems
come the limitations of conventional micro-segmentation that based on the architectures to minimise the loss of
and segmentation scenarios. The suggested scenario inte- information within actual time and to obtain ideal decisions
grates NSX-T micro-segmentation with Sky API and policy for cyber security. On the other hand, this system can
enforcer to enhance the security and performance of the be enhanced in the future to handle segmentation policy
network. composition, automation, and synthesis. In addition, con-
The paper consists of four other sections, where many trols of network segmentation, which involve components
Previous works have been reviewed within the second and productive potentials of cyber security, can be used to
section, while micro-segmentation and segmentation tech- achieve network security. Another segmentation technique
niques have been studied within the third section. The is micro-segmentation, which is a novel security technique
methodology of the study has been illustrated in the fourth that divides physical networks into separated logical work-
section. The results of the study have been discussed in the loads or micro-segments. Thus, an analytical framework has
fifth section. A conclusion of the study has been provided been developed by [11] to quantify and characterise the
in the last section. micro-segmentation effectiveness in improving the security
of networks. A framework based on attack graphs and
2. Related Works network connectivity was used to estimate the robustness
Layered protection and network segmentation strategies and exposure network. The results show that the use of
are considered essential to construct a more secure network. micro-segmentation enhances the network robustness and
Thus, guarded commands and family algebra have been exposure reduction in a range extending between 60% and
utilised by [8] to form a formalism and define the seg- 90%. According to [12], the secure design of a network
mentation of the network. A series of resources and their based on micro-segmentation can reduce the movement
polices of access control have been used to suggest two rate of attackers within the network. It also offers more
algorithms that represent output and input strong network chances to discover this movement. However, organizations
topology in addition to firewall policies. The formalism of that use a secure design of the network will discover
network segmentation has been used to compute the utilised that micro-segmentation adds more complexity and cost to
firewall policies, which are then strategically inserted into the network as compared with the percentage of incidents
the network for performing “Defence in Depth (DD)”. severity and number reduction. On the other hand, the
Moreover, a “Software Defined Network (SDN)” has been effort prolonged in segmenting, classifying, and learning
built using the suggested algorithms and the use of SDN network strengthens and value for the whole controls of the
within “Internet of Things (IoT)” and dynamic networks organisation. Due to the absence of pure guidance on how
has been discussed. The issue of cyber decision about segmentation can be suitably implemented within recent
how a suitable segmentation architecture for the network architectures, a Markov continuous-time chain has been
can be selected has been studied within this literature. suggested as a low-cost method to estimate architecture
The selection of architecture is based on the mission and performance. In addition, the chain allows security prac-
security behaviour in a certain environment of networking. titioners to observe more than one candidate architecture
A new method has been suggested to support the selection of segmentation to determine the most optimal model that
decision using agent-based simulation and a heuristic search fits with their network environment[13]. According to [14],
approach. The suggested prototype system has been imple- the impact of a conventional perimeter that is based on
mented within a simple case study to obtain better or ideal security becomes less effective due to the movement of
architectures that support the environment of a network data centres towards the visualisation of storage resources,
exposed to cyber-attacks. Within the suggested prototype networking, and computing. Thus, novel models of secure
system version, several manual actions are demanded to data centres should be based on software, involve the model
begin the execution of components, and the components of of zero trust, and adopt micro-segmentation. [15] focused
https:// journal.uob.edu.bh/
Int. J. Com. Dig. Sys. 16, No.1, 1499-1508 (Sep-24) 1501

on security of network within IT systems. It also presented


security remedies and modern network threats. the key aim
of the study was to supply consumers with a secure device
for communication and to restrict hackers from reaching
secured data. The review illustrated that system security can
be enhanced using sophisticated security systems. Further-
more, sophisticated monitoring systems can minimise data
breaches. Novel guidelines and protocols are also required
to secure data of organizations.
3. Segmentation Technique
Segmentation of the network is considered a defensive
technique to reduce and prevent the ability of cyber attack-
ers to move throughout the network. Further, this technique
is interested in separating the network into multiple seg-
ments and monitoring communication among the internet
and segments and among segments. The aim of segmen-
tation is to protect the resources of the network through
communication restriction, which enhances the security of
the network by [13]:

• Minimising entry point number that is demanded for


the network.
• Restricting attackers from infiltrating the network.
Figure 1. the structure of basic network segmentation based firewall
• Obstructing the attacker’s ability to pivot other de- [20].
vices of the network and their lateral entry.
• Enhancing the ability of defenders to remediate and
detect cyber intrusions and simplify the observation • Cloud Technology: Clouds cannot be involved within
of communication. VLAN segmentation and many other conventional
networks.
Segmentation is usually performed by the integration of
“Software Defined Networking (SDN)”, “Virtual Local B. Firewall Segmentation
Area Networks (VLANs),” and firewalls [16]. The main Firewalls are considered as devices of network security
types of segmentation are as follows: that observe outgoing and incoming traffic of the network
as well as determine if certain traffic will be blocked or
A. VLANs Segmentation allowed depending on certain security rules. In addition,
A set of separated networks is created inside the centre firewalls represent a key part of a security system that
of the data by segmenting the network through VLANs. implements security policies that only allow legal users
Every network represents an individual broadcast domain. from entering resources. Firewall segmentation is used to
VLAN segmentation strictly limits access to the surfaces place each resource set under a certain firewall [19]. Figure
of a system attack. Furthermore, it enhances threat of effort 1 illustrates the structure of a basic network segmentation
and minimises the packet-sniffing abilities. Furthermore, the based on the firewall.
network devices and servers can only be seen by authorised
users who should access the network to perform daily Furthermore, an edge or external firewall is used within
tasks. Protocol segmentation is an additional benefit of segmentation where this firewall is not directly connected
segmentation, where the architects of the network can set to the network segments of end users. Logical and physical
particular protocols to particular enterprise segments [17]. separation is usually required between core infrastructure
and user communities. This separation reduces the visibil-
Although VLAN segmentation provides users with elas- ity of the inside network actions. Therefore, an internal
tic movement and enhances security within the network, it firewall can be used to solve this challenge and enhance
comes with two main restrictions [18]: the performance of segmentation. The interior firewall con-
nects multiple segments within the network, enabling traffic
• Protocol limitations: there are a limited number of mitigation, control, and visibility among those segments
segments that can be provided by VLANs, which [21]. Firewall VLAN segmentation is considered an appli-
restricts the implementation of segmentation within cation of firewall segmentation. As mentioned before, the
huge data centres. security and performance of a system can be enhanced by

https:// journal.uob.edu.bh/
1502 H.Al-Ofeishat , et al.: Build a Secure Network using Segmentation and Micro-segmentation Techniques.

TABLE I. vulenerabilities and strengths of Zero-trust [28].


the segmentation technique. Thus, this is more significant
for “Internet of Thing (IoT)” devices, where the network Strengths Vulnerabilities
prevents communication between those devices and enables Fewer weakness additional time of setup
communication only between them and the controller or Improved data pro- Extra complex administration of
management platform. Furthermore, the data within IoT tection application
devices should be separated to enhance the traffic con- Smart segmentation
trol among selected zones. Group areas are constructed Extra appliances to treat with
of data
by firewall VLANs, where network layers or geographic Robust identity po- Additional management for diverse
locations are used to divide those areas. In addition, access lices of user users
to devices and the control of traffic flow can be simply
understood by properly segmenting resources. On the other
hand, firewall VLANs represent the construction of Layer ered to be a segmentation gateway. All resources within re-
2(Data Link), which makes the management of enterprise cent networks involving package forwarding, cryptographic
networks difficult and complex, particularly when flexible engines, firewalls, access control, and content filtering are
and agile networks are demanded[22] and [23]. concentrated by the zero-trust concept ([25]). In addition,
C. SDN Segmentation the architecture of zero-trust utilises the protection principle
SDN represents a networking model that removes of individual enterprise resources, involving computing and
the restrictive limitations that are added to the network data rather than protecting the borders of the network. Thus,
through networking hardware, which used within conven- the access credentials and identities of the request advent
tional non-SDN networks. Furthermore, SDN enhances the of the interior network should be verified at every resource.
programmability, scalability, and agility of traffic switching The architecture of zero-trust has been constructed to reduce
and control. On the other hand, the algorithm of “Robust interior lateral movement and avoid data breaches within
Network and Segmentation (RNS)” should be used within enterprises [26], [27]. The zero-trust model has several
this type to implement segmentation strategies and layered weaknesses and strengths, as shown in the table I [28]:
defence in order to attain secure access control to the 4. Micro-segmentation Technique
network and to properly divide the network. This algorithm
Micro-segmentation is considered a technique to con-
segments the resources of the network into different clusters
struct secure areas within cloud deployments and data
using a certain systematic approach. It also provides the
centres to secure and separate all workloads to create
topology of the network that determines the desired cluster
a granulated secure network. Furthermore, polices within
placement within the network [19]. SDN technology has
micro-segmentation are implemented on each workload
recently been used to simplify the segmentation of network
to generate stronger attack resistance. Two key security
traffic. Traffic tags are also used by this technology to
problems are addressed by micro-segmentation: controlling
remove the complexity of conventional approaches and to
and distinguishing traffic of the network above layer four
implement a policy of network segmentation on the compo-
[29].
nents of the network. While customers use the identical fun-
damental physical infrastructure, various virtual networks On the other hand, this technique is distinguished by
are provided by SDN. Further, centralised controllers are implementing rules on every VM instead of using a firewall
used by SDN to enhance network programmability and au- to conserve the physical network environment. Many oper-
tomation. Complexity is the key weakness of segmentation ations of the data centre have a dynamic nature that was
with the SDN, where it concentrates on the policy of the not previously probable. Therefore, Micro-segmentation
network instead of application flows and security visibility was created to support and reflect this nature [30]. Four
directed through other approaches [24]. key advantages can be added to the network by Micro-
D. Zero-Trust segmentation segmentation (See [30]):
This type of segmentation is considered a developmental 1) Minimise surface of attack: visibility of the en-
model of security that is constructed to reduce threats and tire network environment is provided by micro-
attack risk in internal and external networks. Therefore, segmentation without reducing innovation and de-
three topics should be considered when constructing a zero- velopment.
trust network [25] : 2) Enhanced breach containment: security teams use
micro-segmentation to observe network traffic versus
• Guarantee secure access to the entire data depending
predefined polices, remediate breaches, and reduce
on location and user.
response time.
• Access control implementation. 3) Robust regulatory compliance: a group of polices can
be constructed by micro-segmentation to separate
• • Examine traffic assets records. regulated systems from the remaining infrastructure.
Therefore, applying granulated control over the com-
Furthermore, the model of a zero-trust network is consid- munications of regulated systems, minimising the
https:// journal.uob.edu.bh/
Int. J. Com. Dig. Sys. 16, No.1, 1499-1508 (Sep-24) 1503

TABLE II. components of the suggested environment .

Number
of Location
Component name com- within the
po- environment
nents
external
External Firewall devices 2
firewall cluster
switching fab-
Core switches 2
ric cluster
switching fab-
Access switches 2
ric cluster
Hypervisor
VMware 2
cluster
Virtual layer
VM-APP 1
cluster
Figure 2. VMware NSX with micro-segmentation example [33]. Virtual layer
VM-DB 1
cluster
Virtual layer
APP VLANs 1
incompatible usage risk. cluster
4) 4. Management of streamlined policy: firewall po- Virtual layer
DB VLANs 1
lices can be managed simply through the particu- cluster
lar architecture of micro-segmentation. A particular Virtual layer
consolidated policy is used by this arising best Internal un-routed VXLAN cluster (Inside
2
practise to reduce and detect threats and to control switch hypervisor
subnet access within one network section. Hence, the hosts)
security posture of organizations can be reinforced
and the surface of attack can be also minimised using
this approach. between the VMs and the identical virtual or logical switch
is presented [20].
Due to the increasing number of advanced permanent
threats that spread through application vulnerabilities and 5. Methodology
targeted users, multiple network-layer segmentation is re- The methodology of this paper is based on reviewing
quired to maintain an appropriate posture of protection and three different scenarios to show how the performance and
security. Therefore, security controls at the application level, security of the network can be enhanced by segmentation.
like developed aware protection and application-level inter- The first scenario represents the conventional segmenta-
vention protection, are required for these developed threats tion environment, while the second represents the micro-
to conserve selected workloads [31]. Micro-segmentation segmentation environment. The third scenario represents the
with NSX represents a suitable platform to deal with these suggested environment that integrates NSX-T with Sky ATP
threats. Thus, VMware NSX enhances micro-segmentation and policy enforcer to overcome the limitations of the other
to be more cost-effective, operationally feasible, and scal- two scenarios and to enhance the performance and security
able. Furthermore, NSX supports micro-segmentation with of the network. The structure, components, and topology of
service sequence for partner services, overlay-based separa- these scenarios are shown below:
tion, distributed firewalking, and central policy controls to
A. The Structure of the Environment
address the security requirements for the rapidly developing
landscape of information technology [32]. An example of The studied environment was segmented into four main
implementing VMware NSX within micro-segmentation is clusters: external firewall, switching fabric, hypervisor, and
illustrated in Figure 2. virtual layer clusters. “Virtual Extensible LAN (VXLAN)”
has also been introduced to perform logical segmentation
The distributed firewall is the key module used within for “Virtual Machines (VMs)”. Because VXLAN has vari-
the micro segmentation. Furthermore, the implementation of ous types of behaviour and overhead, it has been selected
NSX deployed the distributed firewall into every hypervisor within this structure instead of VLANs to enhance the
as a core module. Thus, the policy rules for distributed results. Furthermore, two databases and application roles
enforcement can be centrally configured. Traffic can be VM have been used to represent the participants of the
filtered by distributing the firewall over the level extended test environment. The key components involved within the
between the 2nd layer and the 4th layer. Therefore, the rules constructed environment are shown in the table II:
of security can be implemented only when a connection
Two simple scenarios were selected to investigate and
https:// journal.uob.edu.bh/
1504 H.Al-Ofeishat , et al.: Build a Secure Network using Segmentation and Micro-segmentation Techniques.

Figure 5. Path of network traffic in Scenario 2 [34].

beside the firewall to extend the security. Therefore, any


communication with the outer section entities should go
over the firewall. Furthermore, any outer or intersection
communication that comes from every host within the
section should be accessed over a departmental firewall, and
this will increase the delay and traffic within the network
[20].
C. Scenario 2: Secure network with NSX micro-
segmentation
Segmentation within this scenario has been applied
Figure 3. The entire structure of the suggested network environment
[34].
within “Virtual Network Layer (VNL)”, where there is
no need to pass via layer-3 or firewall devices. Thus, an
individual unrouted segment of the logical network is used
to connect all VMs within the network. In addition, the
real policy of security has been enforced within the ports
of virtual switches and implemented only on hypervisor
hosts. Therefore, micro-segmentation of the VM level and
the use of the basic flat structure of the network are enabled.
Figure 4. Path of network traffic in Scenario 1 [34]. By this scenario, logical segments can be separated from
the security area thinking type and designed in a more
effective way. Moreover, when a shift within protection
highlight the distinctions between the implementation of requirements is needed, the security policy can be simply
conventional segmentation and the implementation of a modified compared with the re-structuring architecture of a
novel micro-segmentation approach. The major tests that logical network [34].
will be studied by these scenarios are: network security,
performance, complexity, flexibility, cost, and workload In addition, as the traffic needs hair-pinning through any
mobility. The entire structure of the suggested network physical appliance, its path is as direct as possible, and it
environment is shown in Figure 3, where the two scenarios only traverses through the necessary switching fabric from
will be implemented. one hypervisor to another, as shown in Figure 5. This data
path topology was verified using the NSX network trace
B. Scenario 1: Secure network with conventional segmen-
tool, [34].
tation
A conventional implementation by segmenting the hosts D. The Suggested Scenario
into individual VLANs has been represented within Sce- VMware NSX can be considered as a security and net-
nario 1, depending on the security control and roles allowed working platform that is able to provide micro-segmentation
through the outer firewall device by routeing of internal through the developed components involved within the
VLANs. A policy of security has been applied where it is recent centre of data. In addition, micro-segmentation with
executed when traffic reaches the interfaces of the firewall NSX enhances the efficiency and agility of the centre of data
[34]. Thus, the packets of the network are required to pass and allows it to maintain an agreeable posture of security
over more than one physical and virtual component, as at the same time [31].
illustrated in the Figure 4. In addition, the firewall within
this scenario represents a bottleneck for traffic transmitted Furthermore, NSX-T segmentation provides IT security
from one network to another and passing over it [34] and with a zero-trust structure, which means to verify every-
[20]. thing and trust nothing. Therefore, this type of micro-
segmentation constructs a container workload or security
The security within the conventional network is es- perimeter across every VM with a vitally identified policy
tablished at the border or the edge to involve the south- [35].
north communication. Sub-sections and sections are created
https:// journal.uob.edu.bh/
Int. J. Com. Dig. Sys. 16, No.1, 1499-1508 (Sep-24) 1505

As shown in the previous sections, the second scenario


with NSX micro-segmentation achieved enhanced perfor-
mance compared with conventional segmentation in sce-
nario 1. However, this scenario is not adequate for dealing
with large environments that involve multiple hypervisors
and multiple clouds. Therefore, it cannot provide a high
level of security for large, sensitive, and variant workloads.
An enhanced environment has been suggested in this paper
to overcome these limitations. The suggested environment
inserted NSX-T VMware product for micro-segmentation
where it integrates innermost in the infrastructure of the
network and not only in visualisation layer. This product
also simplifies operations within security and networking. In
addition, the suggested environment integrated NSX-T with
Sky ATP and policy enforcer to enhance the performance
and security of the network. The integration between policy
enforcement and threat to secures the virtual and physical
network environments. This integration is considered by the Figure 6. Path of network traffic in Scenario 2 [?].
solution of “Juniper Connected Security (JCS)” which is
composed of the following:

• An engine of threat to: this is represented by a


cloud relay on SKY ”Advanced Threats Prevention
(ATP)” to detect recognised and unrecognised threats.
Feed information is used from different sources to
detect recognised threats while unrecognised threats
are determined through different methods like threat
to, machine learning, and sandbox.
• Central management of policies: This component is
based on a policy enforcer that communicates with
third-party appliances through the network and the
appliances of Juniper Networks. By this policy, inter- Figure 7. Logical topology of the suggested environment [22]
and intra-communications of the network are visible. .

Furthermore, the cloud relays on SKY ATP can be consid-


ered as a security framework that protects the hosts within Then, the workflow manner of the applied policy can be
the network from advanced security threats. A system of summarised by the following steps:
next-generation firewall like (SRX firewall) is integrated
with the cloud that relies on software for threat detection • Step one: If any infection is discovered, the Policy
to represent this framework, as shown in the Figure 6. enforcer will be informed by the infected addresses
through Sky ATP.
A series of API connectors are also provided by the
utilised policy enforcer for third-party switches or adaptors. • Step two: If the infected address pertains to the NSX
These connectors are then used to integrate the policy secure fabric, the infected address list will be sent to
enforcer with the NSX connector to allow the policy of the NSX connector through the NSX API.
the infected host to be implemented at the secure fabric. • Step three: the VM matching to the sent IP addresses
Furthermore, the connectors of NSX-T comprise an edge will be retrieved by the NSX service.
firewall that represents the desired Secure Fabric and NSX-
T Manager, which represents vCenter. Two Tyre gateways • Step four: The S DS N BLOCK security tag will be
are used to connect segments of the network with the then created by the NSX API to be tagged into a
physical infrastructure. Each tyretire gateway comprises two suitable VM.
main components; Services router and a distributed router.
In addition, the series device (vSRX) has been used as an The above steps show the high level of security provided by
edge firewall to transmit any suspected data traffic into Sky implementing NSX into the segmented network and by the
ATP. The logical topology of the suggested environment is integration between the policy enforcer and Sky ATP. Inner
shown in Figure 7. threats (inside the network) and outer threats (surrounding
the network) can also be detected by this environment.

https:// journal.uob.edu.bh/
1506 H.Al-Ofeishat , et al.: Build a Secure Network using Segmentation and Micro-segmentation Techniques.

TABLE III. The results of Scenarios measurements.


6. Results and Discussion
Segmentation techniques and micro-segmentation tech- Scenario Scenario Scenario
niques have been developed to secure and protect the Measurement name
1 2 3
network from various threats and attacks. However, con- Low Middle High
ventional segmentation cannot solve all network security Security
level level level
problems. Therefore, micro-segmentation has been devel- Performance Low Middle High
oped to solve these problems and to enhance the behaviour Cost High Middle Low
of the network. Within this section, the performance of Complexity High Middle Low
the studied scenarios is discussed and compared to show Consumed-time High Middle Low
which one is the best. The results of network measure- Workload mobility Low Middle High
ments have been provided at the end of this section based
Flexibility Low Middle High
on the performance evaluation. Within the conventional
Not
network segmentation scenario, the network is broken or
Inner threats De- Detected Detected
segmented into several segments (VLANS). In addition, the
tected
network has been segmented depending on the North-South
Not
transferred traffic, which crosses the border of security
Outer threats Detected De- Detected
and runs among servers and clients. On the other hand,
tected
micro-segmentation within the second scenario places every
application or device within its particular logically separated Cannot Cannot
Deal
segment, and this enhances the control and visibility within Multi-cloud deal deal
with
the network. Furthermore, the network within scenario 2 environments with with
them
has been segmented depending on east-west transmitted them them
traffic, which moves horizontally inside and across the
network. Based on the above, the performance and security
of the network were enhanced by the implementation of these limitations. The suggested scenario provides a high
segmentation through the external firewall cluster and the level of security by implementing NSX into the segmented
segmented VLANs. However, this scenario only focuses on network and by integrating the policy enforcer and Sky ATP.
the North-South traffic security without concern for the in- Inner threats (inside the network) and outer threats (sur-
ternal security of traffic. Therefore, Scenario 2 provides the rounding the network) can be detected by this environment.
suggested environment with greater security than Scenario In addition, the physical site of information is not important
1. Further, the architecture of the network may require re- to be protected where it can be preserved anywhere it exists.
architecture from time to time, and this will be expensive, On the other hand, security within this environment depends
time-consuming, and difficult through segmentation because on policies; therefore, it is simpler than security within
it is based on physical infrastructure breaking. However, hardware architectures. Furthermore, the structure of this
this issue does not exist within micro-segmentation, and environment is more cost-effective because it is considered
this will reduce time-consuming, complexity, and cost. The as a software model where security can be easily and rapidly
insertion of micro-segmentation enhances the performance scaled without the need to subtract or add hardware devices.
of the network by minimising the amount of hair pinning. With the implementation of Micro-segmentation based
Furthermore, there is no need for an external hardware on NSX, a dynamic policy of security can be created where
device (external firewall) within Scenario 2, and this makes it can be simply introduced into any novel requirements
the path of traffic more suitable and shorter as well as without the need to modify the existing infrastructure of
enhances the security of traffic and the environment. Thus, the network. In addition, the implementation of micro-
the performance of the network in Scenario 2 is better than segmentation through NSX provides scalable software and
in Scenario 1. Furthermore, the implementation of micro- distributes the processing of security control over the entire
segmentation with kernel-based firewall and hypervisor virtualisation platform rather than of a selected centralised
level provides a security workload over virtualization clouds network point.
and platforms. Furthermore, this implementation provides
flexibility to deal with changes, additional policy options to The results of the Scenarios measurements can be sum-
be integrated with the platform, workload mobility, and dy- marized in Table III:
namic firewalling load distribution. However, the suggested
environment within the two scenarios (Scenario 1 and 2) is 7. Conclusion
not adequate to deal with large environments that involve Micro-segmentation and segmentation techniques are
multiple hypervisors and multiple clouds. Therefore, it popularly used over computer networks to reduce defensive
cannot provide a high level of security for large and variant versus cyber-attacks. These two techniques have been used
workloads. In addition, the inner and outer threats cannot to enhance the performance and security of the network.
be detected by one scenario, where the outer threats can be Thus, Two simple scenarios were selected to investigate
detected by scenario 1 and the inner threats can be detected and highlight the distinctions between the implementation
by scenario 2. Therefore, the suggested scenario overcomes of conventional segmentation and the implementation of
https:// journal.uob.edu.bh/
Int. J. Com. Dig. Sys. 16, No.1, 1499-1508 (Sep-24) 1507

a novel micro-segmentation approach. However, these two [13] N. Wagner, C. Ş. Şahin, J. Pena, J. Riordan, and S. Neumayer,
scenarios are not adequate for dealing with large environ- “Capturing the security effects of network segmentation via a
ments that involve multiple hypervisors and multiple clouds. continuous-time markov chain model,” in Proceedings of the 50th
Annual Simulation Symposium, 2017, pp. 1–12.
Therefore, an enhanced environment has been suggested in
this paper to overcome these limitations. The suggested en- [14] . L. Muller and J. Soto, “Micro-segmentation for dummies,” Tech.
vironment inserted the NSX-T VMware product for micro- Rep,Wiley and Sons, 2015.
segmentation to enhance network security. The results of
the comparison confirmed that the performance of the [15] A. K. Dwivedi, M. Dwivedi, and M. Kumar, “Advances in network
suggested environment network is better within Scenario security: A comprehensive analysis of measures, threats, and future
research directions,” 2023.
3. The comparison shows that Scenario 3 provides higher
security, performance, flexibility, and workload mobility. [16] J. Turner, “7 network segmentation best practices to level-
up your security,” Strongdm, 2024. [Online]. Available: https:
References //www.strongdm.com/blog/network-segmentation
[1] A. Deshpande, “Introduction to network security,” International
Journal of Computer Sciences and Engineering, vol. 3, no. 9, pp. [17] T. Olzak, “Vlan network segmentation and security-chapter
124–134, 2015. 5,” Retrieved on, vol. 15, no. 02, p. 2015, 2021. [Online].
Available: http://web.archive.org/web/20080207010024/http://www.
[2] A. Kulkarni, A. Shivananda, A. Kulkarni, A. Kulkarni, A. Shiv- 808multimedia.com/winnt/kernel.htm
ananda, and A. Kulkarni, “Ted talks segmentation and topics
extraction using machine learning,” Natural Language Processing [18] Guardicore, “Network segmentation and micro-segmentation in
Projects: Build Next-Generation NLP Applications Using AI Tech- modern enterprise environments,” White paper, 2019.
niques, pp. 65–88, 2022.
[19] M. Alabbad and R. Khedri, “Dynamic segmentation, configuration,
[3] J. Toivakka, “Network segmentation,” 2018. and governance of sdn,” Journal of Ubiquitous Systems and Perva-
sive Networks, vol. 16, no. 1, pp. 7–22, 2022.
[4] K. F. WR.Simpson, “Network segmentation and zero trust architec-
tures,” in Proceedings of the Fifth International C* Conference on [20] P. Bala, “Network micro-segmentation,” SCRIBD, 2023.
Computer Science and Software Engineering, ser. WCE, July 7-9, [Online]. Available: https://www.scribd.com/document/564160802/
2021. Network-Micro-Segmentation

[5] D. Annu and A. Dudy, “Review of the osi model and tcp/ip protocol [21] “Internal segmentation firewall security where you need it,
suite on modern network communication,” International Journal of when you need it,” White paper, 2016. [Online]. Available:
Current Science Research and Review, pp. 1230—-1239, 2024. https://www.fortinet.com/content/dam/fortinet/assets/white-papers/
wp-isf-security-where-you-need-it-when-you-need-it.pdf
[6] P. Konduru and N. Nethravathi, “Secure and energy-efficient routing
protocol based on micro-segmentation and batch authentication,” [22] JUNIPER Network, “Iot network segmentation,”
Computer Networks, vol. 248, p. 110293, 2024. Engineering Simplicity, pp. 1–4, 2022. [On-
line]. Available: https://www.juniper.net/content/dam/www/assets/
[7] N. Zhang, “An introduction to computer & network security threats,” solution-briefs/us/en/iot-network-segmentation.pdf
International Journal of Advance Research in Computer Science and
Management Studies, pp. 5–10, 2020. [23] N. Basta, M. Ikram, M. A. Kaafar, and A. Walker, “Towards a zero-
trust micro-segmentation network security strategy: an evaluation
[8] N. Mhaskar, M. Alabbad, and R. Khedri, “A formal approach to framework,” in NOMS 2022-2022 IEEE/IFIP Network Operations
network segmentation,” Computers & Security, vol. 103, pp. 102– and Management Symposium. IEEE, 2022, pp. 1–7.
162, 2021.
[24] Zenarmor, “What is network segmentation? introduction to
[9] N. Wagner, C. Şahin, M. Winterrose, J. Riordan, J. Pena, D. Hanson, network segmentation,” Sunny Valley Cyber Security Inc. (d/b/a
and W. W. Streilein, “Towards automated cyber decision support: Zenarmor)., 2023. [Online]. Available: https://www.zenarmor.com/
A case study on network segmentation for security,” in 2016 IEEE docs/network-basics/network-segmentation
Symposium Series on Computational Intelligence (SSCI), 2016, pp.
1–10. [25] P. Assunção, “A zero trust approach to network security,” in Pro-
ceedings of the Digital Privacy and Security Conference, vol. 2019.
[10] K. Ramesh, “Network segmentation strategies to articulate a new Porto Protugal, 2019.
method to address growing information security concerns,” CIOSR
Journal of Engineering (IOSRJEN), vol. 8, no. 6, pp. 43–52, 2018. [26] D. Eidle, S. Y. Ni, C. DeCusatis, and A. Sager, “Autonomic security
for zero trust networks,” in 2017 IEEE 8th Annual Ubiquitous
[11] N. Basta, M. Ikram, M. A. Kaafar, and A. Walker, “Towards a zero- Computing, Electronics and Mobile Communication Conference
trust micro-segmentation network security strategy: an evaluation (UEMCON). IEEE, 2017, pp. 288–293.
framework,” in NOMS 2022-2022 IEEE/IFIP Network Operations
and Management Symposium. IEEE, 2022, pp. 1–7. [27] C. DeCusatis, P. Liengtiraphan, A. Sager, and M. Pinelli, “Imple-
menting zero trust cloud networks with transport access control and
[12] B. Peterson, “Secure network design: Micro segmentation.” first packet authentication,” in 2016 IEEE International Conference
ISSA Journal, vol. 14, no. 12, 2016. [Online]. Available: on Smart Cloud (SmartCloud). IEEE, 2016, pp. 5–10.
https://sansorg.egnyte.com/dl/6p0mC8GPeQ
[28] T. E. Nyamasvisva and A. A. M. Arabi, “a comprehensive swot

https:// journal.uob.edu.bh/
1508 H.Al-Ofeishat , et al.: Build a Secure Network using Segmentation and Micro-segmentation Techniques.

analysis for zero trust network security model,” International Jour- Rafat Alshorman is an associate professor
nal of Infrastructure Research and Management Vol. 10 (1), June in the department of computer science at
2022, 2022. Yarmouk University/Jordan. He completed
his Ph.D. at Loughborough University/UK
[29] D. Huang, A. Chowdhary, and S. Pisharody, Software-Defined
networking and security: from theory to practice. CRC Press, and his undergraduate studies at Yarmouk
2018. University
Jordan. His research interests lie in the
[30] K.Ekambaram and M. Varun, “Microsegmentation: Defense in area of algorithms and mathematical models,
depth,” Dell Technologies Proven Professional Knowledge Sharing, ranging from theory to implementation, with
pp. 1–8, 2021. [Online]. Available: https://education. a focus on checking the correctness condi-
dell.com/content/dam/dell-emc/documents/en-us/2021KS
Ekambaram-Microsegmentation Defense in Depth.pdf
tions of concurrent and reactive systems. In recent years, he has
focused on theoretical computer science such as Graph theory
[31] W. Holmes, “Mmicro-segmentation defined – nsx and Numerical analysis. Dr. Alshorman research interests are: 1.
securing– part i,” VMware, 2016. [Online]. Mathematical methods in computer science 2. Temporal logics 3.
Available: https://blogs.vmware.com/networkvirtualization/2016/06/ Concurrent systems 4.Machine learning 5. Network Security.
micro-segmentation-defined-nsx-securing-anywhere.html/

[32] VMware NSX for vSphere, release 6.0x, “Microsegmentation


using nsx distributed firewall: Getting started,”
VMware, 2014. [Online]. Available: https://docplayer.net/
15756686-Microsegmentation-using-nsx-distributed-firewall-\
protect\@normalcr\relaxgetting-started.html

[33] J. Myers, “Network security with micro segmentation from


vmware,” 2015. [Online]. Available: http://www.enpointe.com/blog/
network-security-with-micro-seg-mentation-from-vmware

[34] J. Koskinen, “Microsegmentation as part of organization’s network


architecture: Investigating vmware nsx for vsphere[master’s thesis].
jamk university of applied sciences,” 2020.

[35] T. N. DNA, “Nintroduction to microsegmentation in vmware


nsx-t,” 2021. [Online]. Available: https://www.thenetworkdna.com/
2021/03/introduction-to-micro-segmentation-in.html

Hussein Al-ofeishat is an associate


Professor at Al Balqa Applied University,
Department: Computer Engineering
Department, College of Engineering E-mail:
ofeishat@bau.edu.jo Field of Specialization:
Computer Engineering Major: Computer
Engineering. Research Interest: Computer
Network and Network Security. Ph.D. 2005
at National Technical University of Ukraine,
Faculty of Computer Engineering, MSc.
1992 at National Technical University of Ukraine Faculty of
Electrical Engineering.
Scopus: https://www.scopus.com/authid/detail.uri?authorId=
55539903200
google scholar: https://scholar.google.com/citations?user=
O49fynUAAAAJ&hl=en
research gate: https://www.researchgate.net/
scientific-contributions/2137895665 Amman-Jordan Hussein
ORCID ID registered to your address ofeishat@bau.edu.jo is
https://orcid.org/0000-0002-0113-6415

https:// journal.uob.edu.bh/

View publication stats

You might also like