Network segmentation and architecture
Tech ID
19-023
Inventors
Ridha Khedri
Neerja Mhaskar
Mohammed Alabbad
Patent Status
Patent pending
Stage of Research
Proof of principle
Contact
Lokesh Mohan
Business Development Officer
Abstract
Multiple industry reports have provided estimates indicating that the Connected Devices market is poised to reach a value of $375 billion by the year 2031. The importance of ensuring secure access cannot be overstated, especially for networks with high security requirements, as the utilization or mishandling of intelligent, adaptive, self-organized sensors and actuators can yield significant positive or negative consequences. Consequently, the lateral (or East-West) movement is a critical component of most ransomware and other recent attacks. To counteract this method of attack, network segmentation has emerged as a key strategy, and more recently, there has been a shift towards “resource” segmentation. While the term “micro-segmentation” typically refers to the partitioning of application workloads and workflows as resources, it’s important to note that a resource could encompass any device, application workload, data store, and so on. Nowadays, organizations may need to segment hundreds to hundreds of thousands of resources within their infrastructure. When considering the extensive range of attributes, tags, or stateful possibilities associated with each resource, the number of potential attack pathways in a network can easily reach into the millions.
In a world where network architecture and segmentation are more art than science, McMaster researchers have developed a mathematically provable algorithm for configuring optimally secure networks generating a network topology and segmentation policies that have zero vulnerabilities. This means that within your specified policies, there are no open pathways to breach by an unauthorized person. Using the Zero Trust model, the security policy settings are explicitly set to “deny all access” to anything outside the stated policy. The engine makes sure to minimize any openings that the policies require, but nothing further. Furthermore, our patent-pending segmentation method optimizes for Defense-in-Depth (DiD), whereby the most valuable resources are kept as far away as possible. In DiD, layers of security are added to make it more difficult for an attacker to penetrate, and the attack surface is minimized. Therefore, by using our segmentation-engine, users can be certain that there is no segmentation plan and topology that is more secure, and that it is provable mathematically.
Applications
- High security computer networks:
- Defense
- Government
- Enterprise Networks
- Financial Institutions
- Railways industry
- Smart manufacturing
- Critical Infrastructure and Industrial Control Networks
Advantages
- Improve security and prevent attacks
- Eliminate existing vulnerabilities that are almost impossible to find manually. Ensure that your attack surface is the mathematically proven minimum to prevent lateral movement. Obtain superior protection by deeply burying critical apps and data by optimizing Defense-in-Depth.
- Save time and money
- Eliminate manual work and cost to implement segmentation, which can take weeks (even when using dependency graphs). Simplify segmentation complexity so you don’t need to worry about the almost limitless attack paths.
- Continuous protection
- Dynamically adapt segmentation in real-time to constant, high-volume resource and policy changes. This is impossible to manage manually, and you won’t need to wait for available staff while your network is not secure.
- Segmentation flexibility
- Segment resources/networks based on any custom attributes, such as line of business, location, application characteristics, user types, compliance requirements, protocols, number of access times, time access-period, and so much more.