Network complexity is becoming one of the primary reasons for failure in the enterprise. After all, the more complex a network is, the more likely that there are blind spots, which often are only discovered in investigations appear after things have already gone awry in costly incidents leading to disruption.
Today’s network managers are constantly adapting to change driven by concepts such as digital transformation, cloud-based initiatives, compliance requirements, cybersecurity challenges and much more. That constant cacophony of change results in network managers no longer having the intimate knowledge of both their networks and the traffic flowing between devices necessary to keep things running smoothly and securely.
San Jose, Calif.-based Forescout is aiming to remove the angst of network management by providing a platform that brings full visibility to the network, regardless of how complex or distributed that network may be. The company recently extended its platform-based offerings with the eyeSegment product, a solution delivering the capability to segment networks using powerful context-aware policies.
EyeSegment’s key features include not only full discovery of all connected devices but the ability to rapidly improve network segmentation by grouping similar and related devices together according to organizations’ business operations and unique environments. Instead of having to start with tedious granular information like IP addresses, eyeSegment first aims to give security and network managers a logical top-down view of connected devices’ location, relationships and traffic. This helps orchestrate and maintain required segmentation controls that eliminate needless attack surfaces and prove compliance with regulatory measures.
EyeSegment solves many of the problems associated with highly dynamic environments and can bring forth actionable insight for extended network environments when paired with Forescout’s eyeSight product. The combination of eyeSight and eyeSegment brings a one-two punch to solving the challenges of discovery and segmentation into an easy to use, unified visibility and control platform.
A Closer Look at eyeSight and eyeSegment
EyeSight uses a platform-based approach that incorporates some unique capabilities. The platform’s power comes from its ability to discover and classify any IP device that connects to the network. Simply put, any time a device with an IP address connects to the network; eyeSight becomes aware of that device and can assess that device. What’s more, this device discovery is agentless, meaning that software agents do not have to be installed on the connecting device.
EyeSight is also able to quickly classify the device and detect if it is a physical device, a virtual device, or even an IoT device. Discovery is a key process for network managers looking to continuously discover, assess and classify the network and its connected devices, and it is a prerequisite for dynamically segmenting the network.
The platform’s discovery engine gives network managers 100% visibility into the network and accounts for any IP connected device, even if that device is connected across the cloud or via mobile network, or even as a virtual device. eyeSight accomplishes that bit of wizardry by using a combination of techniques to discover devices.
Combination of components power the solution
EyeSight can use a combination of SNMP traps, SPAN traffic detection, Flow analysis, DHCP requests, HTTP user-agents, TCP fingerprinting, protocol parsing and RADIUS requests to passively detect what is connecting to the network. The platform also can passively inspect connected endpoints using capabilities such as network infrastructure polling, SDN integration, integration with public and private clouds, as well as use queries to LDAP, REST and SQL databases.
It is that comprehensive discovery and classification that makes it possible to segment enterprise-wide networks. Many IT managers have come to the conclusion that enterprise-wide networks must be segmented to reduce the attack surface and bring order to the chaos of network communications. eyeSegment supports that process with a policy-based approach, where context can be used to define segments that meet user needs, while also embracing a Zero Trust framework to protect networks from lateral attacks.
EyeSegment works hand in hand with Forescout’s other platform related products, such as eyeSight, eyeControl and eyeExtend to create a holistic approach to managing complex and orchestrating controls across dynamic network environments. eyeSegment is specifically focused on improving segmentation hygiene by using a combination of administrator defined policies, coupled with continuous monitoring.
EyeSegment automatically maps network traffic flows and creates a visual paradigm that administrators can use to monitor the interaction details of users, applications, services and devices across an enterprise network. It’s also worth mentioning that eyeSegment is able to gather that intelligence without the need to deploy agents. The gathered network intelligence can be translated into logical business segmentation policies, which grant granular control to administrators looking to get a better, and more secure, handle on network operations.
Automates access controls for administrators
Policy-based control lends itself well to numerous use cases. Take, for example, a business that has a particular operations department, such as inventory control, that needs to access applications across multiple internal and external domains. Inventory control personnel may need to access certain accounting applications, supply chain management applications, sales applications and so forth. Without eyeSegment, an administrator would have to manually define access controls on an individual basis.
eyeSegment eliminates that tedious task by helping an administrator to better understand the goals of the department and then create a policy that can dynamically deliver on the connectivity needed so that department members can access only what they need to access.
What’s more, eyeSegment offers the ability to simulate the impact policies have, before they are deployed. That brings additional confidence to the dynamic definition of network segments by providing a method to test policy changes before they are deployed into a live enterprise network. The product uses a “single-pane of glass” view, which helps reduce learning curves while exposing the most critical information on the primary management console. The product’s dashboard provides real-time monitoring and makes it easy to spot potential problems and mitigate those problems as quickly as possible.
Traffic flow visualization, along with policy visualization provides administrators with instant insight into dependencies, services, and validation on active segments. The gathered data can be correlated into reports and other analytics systems to garner additional insights if needed.
eyeSegment offers numerous other benefits that can improve both security and reliability of network segments. Administrators can define policies that protect business critical applications and ensure that the proper access controls are in place. What’s more, eyeSegment continuously monitors activity to ensure that protections provided by policies never lapse. That level of protection can extend down to users as well, meaning that policies enforce what users can and cannot access.
Builds policies that can be replicated
Policies can also be created to limit access to critical network resources, granting another layer of protection for sensitive network devices, workloads and domains. In short, administrators can build a policy that only allows administrators to access switches, firewalls, active directory, LDAP and domain controls. The product also helps to bring emerging technologies under control, such as Internet of Things (IoT) and Operational Technology (OT) devices by allowing administrators to build isolated segments for those devices, effectively separating those devices from the rest of the enterprise network.
EyeSegment brings a great deal of value to the network segmentation challenge. The product offers a clean way to create dynamic policies that can defend critical resources, protect applications, and ultimately reduce the attack surface of the network. What’s more, the intuitive dashboards and connectivity matrix help to minimize the chaos of complex networks using visual paradigms and intuitive management consoles.
Frank Ohlhorst is a veteran IT product reviewer and analyst who has been an eWEEK regular for many years.
