How Fortinet's Intent-Based Segmentation Makes SDN Easier to Do

NETWORKING TREND ANALYSIS: In discussions with IT pros, eWEEK's Zeus Kerravala finds that network segmentation is a little like going to the gym--where everyone talks about it but very few actually do it.


There may be no hotter trend in networking and security than segmentation. The rise of software-defined systems have made it possible to carve up the network into virtual segments to isolate assets. In actuality, in discussions with IT pros, I find that segmentation is a little like going to the gym--where everyone talks about it but very few actually do it. 

The reason for this is that applying segmentation can be very difficult. The concept is easy to understand: Keep high-value assets away from others and, as they say, “Bob’s your uncle” (this means "and there it is" or "and there you have it"; this is commonly used in United Kingdom and Commonwealth countries). In practicality, there are multiple kinds of segmentation and often a lack of understanding of how to apply the various types. 

Recently, security vendor Fortinet announced something called intent-based segmentation (IBS) to help make the process easier. The term “intent-based” refers to having the ability to have a system configure and maintain itself based on business intent. If you’re not familiar with the term, I recently wrote this post on how intent-based networking (IBN) works. Although this was specifically networking, the concepts as applied to segmentation are the same. In fact, one could argue that intent-based segmentation is a subset of the overall IBN term.

Varying Types of Segmentation

Before I get into how IBS works, it’s worth reviewing the various types of segmentation. These are:

  • Macro-segmentation, also known as coarse grained segmentation, is akin to VLANs, although they are significantly more flexible. The primary use case is to isolate broad buckets of device types, such as medical devices or guest endpoints.
  • Micro-segmentation, also known as fine-grained segmentation, is a more granular version of macro. This lets IT pros tailor security settings to isolate classes of devices within a broad group. An example of this might be a hospital that wants to isolate cardiac heart pumps from all other medical equipment.
  • Application level segmentation is used isolate traffic at an application or even process level. This can isolate applications on the same physical or virtual server.
  • Endpoint segmentation enables segmentation to be applied at the device level, regardless of the network topology below it. This can be particularly useful in IoT environments.

The obvious question here is which type of segmentation is best? The answer is all of them! It really depends on what the business is trying to achieve. In fact, the process of isolating cloud assets can involve using micro, macro and application segmentation.

This is where Fortinet’s IBS comes into play. Its new family of next-generation firewalls (NGFW) includes intent-based segmentation as part of its feature set. The family includes two mid-range NGFWs (FG-401E / 601E) and two high-end ones (FG-3401E / 3601E). Performance ranges from 4.8Gbps to 66 Gpbs. All of the NGFWs are built in Fortinet’s own security processing unit (SPU). The home-grown silicon has an advantage over off-the-shelf silicon in that it’s tailored to the needs of security, similar to the way a graphics processing unit (GPU) is optimized for video.

IBS Capabilities Can Be Adjusted to Workloads

The IBS capabilities intelligently segment the IT assets based on the intent of the business objectives and aligns the security process and access control to prevent threats from spreading laterally across the network. This is something that’s difficult, if not impossible, to do with traditional security tools.

To help understand, consider what happens when a user initiates or receives a transmission. The sessions traverse the public network, and that connection gets hardened and inspected to identify and prevent malware or traffic hijacking. This is certainly necessary but not enough. Isolating users and applications enables security professionals to see and control the devices that can interact with the connections, making it difficult for threat actors to intercept, steal or corrupt that data and helps ensure that data and resources are managed and secured as they move across an increasingly expanding network of connected ecosystems. Intent-based segmentation simplifies this by automating the process.

The "intent" in IBS indicates it operates at a business or use-case level. For example, the security administrator can initiate a use case of separating critical assets, and the Fortinet NGFW will apply a combination of micro and macro segmentation. Other use cases are things such as border security, tiered cloud access, meeting compliance requirements and securing physical access. Each one of these has a specific architecture that simplifies deployment and on-going management.

IBS Plugs in to Third-party Vendors

One final note is that IBS works with third-party vendors that customers may have in place as part of their segementation strategy. This includes some widely deployed solutions, such as Vmware’s NSX and Cisco ACI.

IT environments have grown more complex and dynamic, making it more difficult to reduce the overall attack surface.

Segmentation plays a key role in doing this, but trying to stitch together multiple products is difficult, because keeping policies up to date becomes overwhelmingly hard to do. The concept of intent-based segementation simplifies this process, because it applies the right combination of segmenation techniques to ensure the objectives of the business are always being met.

Zeus Kerravala is the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.