There can be no warmer trend in networking and security than segmentation. The ramp-up of software-defined systems made it possible to split the network into virtual segments to isolate the assets. In fact, in discussions with IT professionals, I find that segmentation is a bit like going to the gym – everyone talks about it, but very few actually do it.

The reason is that the application of segmentation can be very difficult. The concept is easy to understand: keep the valuable goods away from others and, as they say, "Bob is your uncle" (it means "here it is" or "and you will have it"; is commonly used in Kingdom and Commonwealth countries). In practice, there are several types of segmentation and often a lack of understanding of how to apply different types.

Recently, security provider Fortinet announced a system called intent-based segmentation (IBS) to facilitate the process. The term "intent-based" refers to the ability to configure and manage a system itself based on the intentions of the company. If you are not familiar with this term, I recently wrote this post about the operation of the intention-based work network (IBN). Although this is specifically about networking, the concepts applied to segmentation are the same. In fact, one could argue that intention-based segmentation is a subset of the overall IBN term.

Different types of segmentation

Before explaining how IBS works, it is useful to look at the different types of segmentation. These are:

  • Macro-segmentation, also known as coarse grained segmentation, apparent to VLANs, although they are significantly more flexible. The primary use case is to isolate large compartments of device types, such as medical devices or client terminals.
  • Micro-segmentation, also known as fine segmentation, is a more granular version of macro. This allows IT professionals to customize security settings to isolate device classes within an extended group. An example of this might be a hospital that wants to isolate heart pumps from other medical equipment.
  • Segmentation at the application level is used to isolate traffic at the level of an application or even a process. This can isolate applications on the same physical or virtual server.
  • Segmentation of the end points Enables segmentation at the device level, regardless of the lower network topology. This can be particularly useful in IoT environments.
  • The obvious question is which type of segmentation is the best. The answer is all! It really depends on what the company is trying to achieve. In fact, the process of isolating cloud assets may involve the use of segmentation of micro, macro and applications.

    That's where Fortinet's SCI comes in. Its new Next Generation Firewall (NGFW) family includes segmentation based on intent as a whole. The family includes two mid-range (FG-401E / 601E) and two high-end (FG-3401E / 3601E) NGFWs. Performance ranges from 4.8 Gbps to 66 Gpbs. All NGFWs are built in Fortinet's own Security Processing Unit (SPU). Domestic silicon has an advantage over standard silicon because it is adapted to security needs, just like how a graphics processing unit (GPU) is optimized for video.

    IBS functions can be adjusted to workloads

    IBS features intelligently segment IT assets according to business goals and align the security process and access control to prevent threats from spreading sideways across the network. This is something that is difficult, if not impossible, to do with traditional security tools.

    To help understand, consider what happens when a user initiates or receives a transmission. The sessions traverse the public network and this connection is enhanced and inspected to identify and prevent malicious programs or traffic diversion. This is certainly necessary but not enough. Isolating users and applications allows security professionals to see and control devices that can interact with connections, preventing threatening actors from intercepting, stealing, or corrupting data, and thereby helping data and resources are managed and secured as they move. growing network of connected ecosystems. Intention-based segmentation simplifies this by automating the process.

    "Intention" in IBS indicates that it works at the level of the business or use case. For example, the security administrator can initiate a case of using the separation of critical assets, and Fortinet NGFW will apply a combination of micro and macro segmentation. Other use cases include border security, tiered cloud access, compliance requirements, and secure physical access. Each of these has a specific architecture that simplifies deployment and ongoing management.

    IBS connects to third-party providers

    One last remark is that IBS works with third-party vendors that customers may have set up as part of their segmentation strategy. This includes some widely deployed solutions, such as Vmware NSX and Cisco ACI.

    Computer environments have become more complex and dynamic, making it more difficult to reduce the overall attack surface.

    Segmentation plays a key role in this, but it is difficult to assemble several products because it is extremely difficult to keep policies up to date. The concept of intent-based segmentation simplifies this process as it applies the right combination of segmentation techniques to ensure that business goals are always achieved.

    Zeus Kerravala is the founder and lead analyst of ZK Research. He spent 10 years at Yankee Group and had previously held several IT positions.