Previous

Next

Identify the sites and zones for your network topology

Completed

Your car manufacturing organization has a network including offices and production sites across the globe. A Zero Trust access strategy requires segmenting your OT network to enhance network security and limit access to each segment only to relevant personnel. Defender for IoT uses sites and zones for segmentation.

Zero Trust

Zero Trust is a security strategy that assumes a breach as a given, and therefore always requires verifications and the least needed privileges. Some applications of Zero Trust in an OT network can include:

• Ensuring that all connections between networks and devices are identified and managed.
• Limiting and securing your network jump hosts.
• Segmenting your network to limit data access. Encrypting and securing all communication between devices and segments and preventing lateral movement between systems.
• Evaluating signals like device location, health, and behavior using health data to gate access or flag for remediation.
• Monitoring security metrics to ensure security perimeter integrity.

Zero Trust with Defender for IoT

Defender for IoT supports Zero Trust access segmentation with sites and zones. You can group data ingested from sensors in the same site or zone together and monitor for unauthorized traffic crossing segments. Segmenting allows you to create policies for least-privileged access to Defender for IoT.

Sites and zones are defined as follows:

• Sites group devices by a specific geographical location, like an office at a specific address.
• Zones define a segment within a site that is a functional area, such as a specific production line.

Example

In your car manufacturer, you might segment factories and office areas in Paris and Lagos into the following sites and zones:

Sites	Zones
Paris office	- Ground floor (Guests) - Floor 1 (Sales) - Floor 2 (Executive)
Lagos office	- Ground floor (Offices) - Floors 1-2 (Factory)

Separate recurring IP address ranges

When you're working with multiple networks, separate sensors with recurring IP address ranges into separate zones. This ensures that Defender for IoT differentiates between the devices and identifies each device uniquely across your networks.

Knowledge check

Figures A and B will help you answer the knowledge check questions.

Figure A shows an example of two global locations. The Paris location has an office of different departments on three floors. The ground floor with a Guests network, floor 1 with Sales, and floor 2 with Executives. The Bengaluru location includes an office with different departments on three floors. The ground floor with an Offices network, floor 1 with Production Line A, and floor 2 with Production Line B.

Figure B is a diagram of a sample network with two sites, Site 1 and Site 2. Site 1 contains Zone 1 with network segments 10.0.0.0\/24, 10.0.1.0\/24, and 10.0.3.0\/24. Site 2 contains Zone 2 with network segments 10.0.0.0\/24, 10.0.0.0\/24, and 10.0.2.0\/24.

1.

Figure A represents a map of your company network. How would you organize this network into sites and zones for Defender for IoT?

Six sites, one for each floor. Two zones, one for the Paris site and one for the Bengaluru site.

Two sites, one for each office. Three zones in the Paris site and three zones in the Bengaluru site, one for each functional area.

Three sites, one for each office, including the global office. Three zones in the Paris site, two zones in the Bengaluru site, and one site in the global location.

2.

The sites in figure B have six network segments, currently allocated across two sites and zones. If site 2 has two network segments with the same IP addresses from different production lines, how many zones should you have in total between the two sites?

1

2

3

3.

Why is it important to segment a network into sites and zones when planning an OT security deployment?

In Defender for IoT, site and zone segmentation are superficial layers that allow security analysts to manage data in smaller amounts at a time.

Segmenting a network into sites and zones allows deployment teams to implement Zero Trust principles and configure Defender for IoT to monitor for unauthorized traffic crossing segments.

In Defender for IoT, zones allow security analysts to identify traffic coming from different regions around the world. Sites help to organize that traffic further into specific locations.

You must answer all questions before checking your work.

Continue