Segment Flows into Control, Management, and Data Planes (Activity 5.2.3) 

Segmenting the critical functions of the network is a fundamental security hygiene practice. Given that our organization has already implemented Software-Defined Networking (SDN) and has defined the necessary SDN APIs (as per Activities 5.2.1 and 5.2.2), Zero Trust Activity 5.2.3: Segment Flows into Control, Management, and Data Planes directs us to utilize this programmable infrastructure to segment the different planes of network operation.  

This activity recognizes that within any network infrastructure, different types of traffic serve distinct purposes. You have traffic that carries the actual data users are accessing (the data plane), traffic used by administrators to configure and manage network devices (the management plane), and traffic used by network protocols to exchange routing information and control network behavior (the control plane). This separation prevents an attacker who gains access to one plane (e.g., the data plane through a compromised user device) from easily accessing or manipulating traffic on the other, more sensitive planes (management or control). 

Activity 5.2.3 mandates that network infrastructure and flows are segmented into separate and distinct control, management, and data planes.  This segmentation is implemented and managed by leveraging our existing SDN infrastructure and the APIs we’ve defined. The SDN controller, through these APIs, will be used to configure and enforce the segmentation policies on the programmable network devices.  

The activity specifically mentions segmentation using IPv6/VLAN approaches as a method for organizing traffic across these planes, which the SDN can programmatically configure. Additionally, analytics and NetFlow data is integrated into the SIEM and SOAR tools, enabling visibility, threat detection, and response.  

The ultimate end goal is to obtain the benefits of segmentation: a more resilient network architecture where the impact (the “blast radius”) of a security event is contained.   

Solutions for Achieving Segment Flows into Control, Management, and Data Planes 

Implementing the segmentation of network planes in Activity 5.2.3 focuses on leveraging our existing SDN infrastructure to define and enforce these boundaries: 

  1. Defining Segmentation Policies within the SDN Controller: Network Design for Plane Separation: 
  • The enterprise and components define clear policies for the separation of control, management, and data planes, specifying which types of traffic and devices belong to each. 
  • These policies are configured centrally within the SDN controller, which acts as the single point of management for segmentation. 

  1. Utilizing SDN APIs for Programmatic Segmentation Enforcement: 
  • Instead of manually configuring individual network devices, the SDN controller, using its defined APIs (from 5.2.1), programs the programmable network devices (switches, routers, segmentation gateways) to enforce the segmentation policies. 
  • This involves the SDN controller dynamically configuring VLANs, IPv6 subnetting, VRFs, and access control lists on the network devices to create the logical or physical separation between planes. 

  1. Implementing Segmentation Gateways (Managed by SDN): 
  • Deploy or configure segmentation gateways that will enforce granular access controls between the defined planes. 
  • These gateways are integrated with and managed by the SDN controller via APIs.  The SDN controller dynamically updates the policies on these gateways to control what traffic is allowed to pass between the control, management, and data plane segments based on defined policies and potentially real-time security events. 

  1. Implementing IPv6/VLAN Segmentation (Configured via SDN): 
  • Utilize IPv6 subnetting and VLANs as the underlying networking technologies to create the distinct network segments for each plane. 
  • The configuration and management of these IPv6 addresses and VLAN assignments are performed programmatically by the SDN controller via its APIs. 

  1. Automating NetOps Information Reporting (NetFlow/Analytics) leveraging SDN Capabilities: 
  • Configure the programmable network devices, often via the SDN controller’s APIs, to export flow data (NetFlow, IPFIX) and other network analytics. 
  • The SDN controller may also provide aggregated analytics or APIs to access flow information centrally. 
  • Ensure this data is automatically fed into NetFlow/IPFIX collectors, analysis tools, Operations Centers, and ultimately your SIEM. 

  1. Ensuring Configuration Control through SDN’s Centralization: 
  • The SDN controller’s centralized management inherently provides stronger configuration control for the segmented network compared to managing devices individually. Changes to segmentation policies are made in the controller and pushed consistently to the managed devices. 

  1. Integrating with SIEM/SOAR leveraging SDN’s Visibility and Control: 
  • Feed network analytics data (including NetFlow managed by SDN) and security events from the programmable network devices and segmentation gateways into your SIEM for centralized monitoring and correlation. 
  • The SDN’s APIs and centralized visibility can enhance the data available to the SIEM. 
  • Integrate with your SOAR platform to automate response actions, which could involve using the SDN APIs to dynamically adjust segmentation or isolate devices based on security incidents detected through SIEM analysis. 

Relevant Technologies and Tools: 

Successfully implementing Activity 5.2.3 relies heavily on your existing and integrated SDN infrastructure and its interplay with security and monitoring tools:

 

  • Software-Defined Networking (SDN) Controllers centrally define and programmatically enforce segmentation policies via APIs on programmable network devices (implementing mechanisms like VLANs, IPv6, VRFs, and ACLs) and managed segmentation gateways, which in turn enforce inter-segment policies. 
  • NetFlow/IPFIX Collectors and Analysis Tools: Collect and analyze flow data exported by the programmable network devices. 
  • Network Monitoring and Analytics Tools: Provide broader visibility into the performance and behavior of the segmented network. 
  • Security Information and Event Management (SIEM) and Log Analytics Systems provide the centralized collection and analysis of security data, enabling Security Orchestration, Automation, and Response (SOAR) Platforms to automate incident responses and dynamically adjust network segmentation via SDN APIs. 

For the Technical Buyer: 
 
Activity 5.2.3 is about leveraging your investment in SDN to implement a fundamental Zero Trust security control: segmenting your network planes. By using your SDN controller and its defined APIs to programmatically configure and manage VLANs, IPv6, and segmentation gateways, you create strong, dynamic boundaries between control, management, and data traffic.  

For technical buyers, success here means effectively utilizing your SDN capabilities to enforce this segmentation, ensuring that network analytics like NetFlow are integrated with your SIEM for continuous visibility, and positioning your network for automated responses orchestrated by tools like SOAR.  

This activity is crucial for significantly limiting the scope of attack and preventing lateral movement within your network, making your programmable infrastructure a key enforcer of Zero Trust principles. 

Pillar: Network and Environment 

Capability: 5.2 Software Defined Networking 

Activity: 5.2.3 Segment Flows into Control, Management, and Data Planes 

Phase: Target Level 

Predecessor(s): None 

Successor(s):  

  • 5.3.2 Base/Camp/Post/Station (B/C/P/S) Macro-segmentation 
  • 5.4.2 Application & Device Micro-segmentation 

Technology Partners