Network Isolation with Virtual Endpoints

By ari. August 7, 2019 network isolation with virtual endpoints

Network Isolation, the segmenting of a computer network into separate zones with distinct trust levels, for the purpose of containing hazards or reducing damage caused by a threat actor, is a hallmark of nearly every security-minded network design. Even though implementing port security policies, VLANs, VPNs, and other technologies can take many months of planning and hard work, generally, the investment is worthwhile as it often significantly strengthens the network’s ability to withstand a cyberattack.

It turns out that maintaining the isolation between network segments, though (i.e. in the face of productivity and usability demands by end-users), is a hard problem. Network engineers and security architects wind up purposely building weak points into their environments (jump servers, backdoor ‘admin subnets’, etc.) that undermine their attempt at separation, and end-users are burdened with quirky hoops to jump through to access sensitive resources. In extreme situations, end-users are issued multiple workstations: one for each network segment they have a need to access.

Fortunately, virtualization tech has evolved to include virtual networking capabilities at the endpoint that can maintain network isolation without sacrificing a seamless experience that end-users expect. Let’s take a look at how endpoint virtualization solutions like Hysolate can improve both network isolation and user experience in a few contexts:

Scenario 1: Segmented Corporate Network

If your organization implements network isolation techniques such as VLANing then you’re off to a great start. However, if IT engineers install dual-homed jump servers or similar, then you may be setting the organization up to rely on single points of compromise. Moreover, the way in which end-users interact with resources on those VLANs can completely defeat the isolation. If a worker exposes his machine’s single operating system to hazards in a low-trust LAN segment and then proceeds to ‘hop VLANs’ by plugging the machine into a port on a sensitive LAN segment he could be exposing the sensitive zone to outside harms via his infected OS. Issuing multiple machines to employees who work on more than one network segment (i.e. one laptop per LAN) simply doesn’t scale. Beyond that, end-users waste countless hours repeatedly switching between machines for day-to-day tasks.

With endpoint virtualization done the Hysolate way, though, VLAN’d traffic can be ‘carried all the way’ into the endpoint’s virtual network, while maintaining full separation. Since the user is running more than one OS as virtual machines (sensitive, corporate, personal, etc.) each can be individually assigned to a separate VLAN, and the zones can maintain their isolation without the need for redundant workstations and machine-switching user fatigue.

Scenario 2: Remote Workers and Mandatory VPN

Let’s say you have many employees who work remotely or travel frequently for work. You must enable them to access resources on the corporate network so they can do their job, so you maintain a remote access VPN service for them to use from anywhere they go. Luckily for the users, the organization doesn’t expect them to lug around two laptops, but their always-on VPN policy negatively impacts their network connection’s performance, and knowing that all of your traffic is being monitored by your employer can be kind of a buzz kill. As a result, users don’t really use their machine unless they absolutely must. Meanwhile the organization is worried they could be legally liable for personal online activities (e.g. torrenting movies) that necessarily traverse the corporate network.

With endpoint solutions like Hysolate the corporate VPN can be selectively applied to only the corporate zone. So, for all corporate purposes, the VPN can be always-on. Moreover, other network policies can be conditionally activated depending on location. Meanwhile, the personal zone can be left to freely visit the public internet without the same need for corporate monitoring, and without the double-hop VPN bandwidth performance penalty.

Scenario 3: Dual NICs, Dual Networks

Perhaps you work for a smaller organization the hasn’t quite gotten around to the whole network isolation thing just yet. They’re aware that end-users personal activities on their single, multi-purpose machine could put assets on the corporate network at risk, but the organization doesn’t have the IT staff to roll out VLANs across the whole company right now. The only quasi-network isolation in play is their separate WiFi network for office guests and visitors.

Luckily, your standard-issue workstation sports two network interfaces: a wireless card and an ethernet port. With Hysolate, and without much engineering effort, you can configure your isolated operating systems so that only your corporate zone can connect via ethernet while requiring your personal zone to use the existing guest WiFi network. Alternatively, if the device only has one wireless interface, the company could purchase an inexpensive USB WiFi dongle so it can simultaneously connect to two separate WiFi networks, guest and corporate, to start creating isolation where there was none before.

IT administrators and security professionals can stop building isolation-violating weaknesses into their networks while also staying on good terms with end-users. Using endpoint virtualization solutions like Hysolate can ensure hazardous operations are adequately isolated from corporate resources and other sensitive assets without impacting day-to-day end-user productivity.

About the Author

Share this article: