Demo Steps

This guide demonstrates Xshield’s micro-segmentation capabilities to prevent lateral movement and enhance security by isolating enterprise layers.

The demo focuses on Production vs. Non-Production segmentation, ensuring no unauthorized communication between servers or with the internet (e.g., a Production web server shouldn't communicate with a Non-Production DB server).

Demo Workflow

As part of server segmentation, we will begin by building basic security (blocking malicious and risky communications, restricting management and infrastructure ports) followed by whitelisting enviroment-specific traffic flows.

The flow of the demo will consist of the following phases:

• Discovery
• Automation for Scale
• Visualize and Baseline
• Reduce Attack Surface
• Reduce Blast Radii
• Prepare Breach Responses
• Continuous Improvement

Discovery

Asset Discovery

The Xshield security platform collects hardware, operating system, network telemetry data, and other tags from the servers in the ecosystem to build visibility into the communications across the network.

The lab setup comes with the Xshield agent software already installed, and the servers are onboarded to the tenant. You should be able to see the discovered assets and their agent information on the platform.

Go to the Assets page to view the asset details as part of the discovery process.

Classify Assets

Create Tag rules to auto assign Environment and Location tags based on the asset hostnames for easier segmentation and policy enforcement.

1. Go to Tags > Tag Rules > Create Tag Rule
2. Enter Name = US West Prod > click Add Rule Criteria > Assets > Asset Name > Advanced
3. Enter the criteria as Contains = uswprod > Apply
4. Click Add Tag Value > Environment = Prod, Location = US West, Business Value = High > Create
5. Follow similar steps to create the second tag rule called 'US West Test' with criteria as Contains = uswtest and Tag Value as Environment = Test, Location = US West, Business Value = Medium

Segmentation Strategy

Based on the above classification, we can now start building segments. Agree upon the segments with the customer.

Define Core Segments

Create a Segment for all servers in US West Location and individual segments per Environment i.e Test and Production

Go to Segment > Create Segment and enter the name, criteria and breach impact metrics target as 50 for each of the following segments

1. USWest > Location=US West, Type=Server
2. USWest | Prod > Location=US West, Type=Server, Environment = Prod
3. USWest | Test > Location=US West, Type=Server, Environment = Test

Enrichment

Now that we have defined Core Segments, we will next start defining Named Networks, policies for management communications and Infrastructure communications.

Network Discovery

Usually customers have an IP Plan of the network where the IP addresses of management and infrastructure services are usually known. Either use the IP Plan or the Xshield recommendation to define core named networks for Management and Infrastructure services

The named networks created in this step help map IP addresses to known traffic patterns between sources such as active directories, DNS servers, jumpservers, bastion hosts etc

Create Named Networks:

Go to Named Networks > Create Named Network and create the following named networks with respective IP ranges.

1. AD Servers: 172.20.0.4/32
2. Dev-Ops-Bastion: 172.20.0.3/32
3. DNS Servers: 8.8.4.4/32
4. IT-Jumpservers: 172.20.0.2/32

Apply these named networks to respective segments using the recommendation available at the segment level

1. Go to each segment and click on the 3 dots at the end > Path recommendations > Named Network Assignment
2. Select the recommended Named Networks > Assign

Management Policy Templates

Based on the discovered network flows in the previous section, we will define policies for Management communications such as privileged access between Servers and Bastion hosts, IT jumpservers, IT tools etc.

Management communications are usually from a few management servers or tools such as bastion hosts, jumpservers etc to many managed assets. This represents inbound communication from the asset's perspective.

Leverage Path Template recommendation to create Management templates

1. Go to Network Data > Paths
2. Filter by Environment=Prod, Location=US West
3. Click on Recommendation
4. Select the relevant management ports (22 and 443 for Prod, 22 and 80 for Test) and Add To Template
5. Name the Template with Management Access or Privileged Access and Save

We will define specific policies applicable to US West Location, Prod and Test Environments.

Do the same for TCP 443 and add to the US West | Prod | Privileged Access template created previously

We will follow the same process to create templates for US West Test environment for TCP 22 from IT-Jumpservers named network and TCP 80 from Dev-Ops-Bastion named network

Infrastructure Policy Templates

Infrastructure communications are usually from a large number of managed assets to a few Infrastructure services/ servers. This represents outbound communication from the asset's perspective.

Let us define policies for such communications between assets and infrastructure services such as DNS, AD, Domain controllers etc. Also define policies between servers and security services such as SIEM, vulnarability scanners and EDRs

Leverage Path Template recommendation to create Infrastructure Templates

1. Go to Network Data > Paths
2. Filter by Location=US West, Direction=Outbound
3. Click on Recommendation
4. Select the relevant infrastructure ports and Add To Template
5. Name the Template as US West | Infrastructure and Save

Apply Management and Infrastructure Policy Templates to Segments

Now that we have defined the core named networks and templates for management and Infrastructure services, attach these named networks and templates to respective segments

1. Assign the US West | Infrastructure template to USWest Segment
2. Assign the US West | Prod | Privileged Access template to USWest | Prod segment
3. Assign the US West | Test | Privileged Access template to USWest | Test segment

Visualize and Baseline

Named networks and templates are linked to their respective segments. The Xshield security platform will now identify all discovered ports and paths, marking them as allowed or denied based on policies defined for legitimate and illegitimate communication patterns.

Visualize Core Segments

Visualize Core segments in panoptic map in context of infrastructure and management networks

Run Baseline Reports

For all of the core segments run baseline reports with current breach metrics to establish the baseline

Generate Reports for Core Segments:

1. Go to Segments, select all segments, and click 'Create Report'.
2. A report request will be sent, and the report will be available in a few minutes.

Download and Review Breach Metrics

1. Navigate to Segments and click 'Reports'.
2. Click the Download icon next to the report.
3. Note the current value of breach score.

Reduce Attack Surface

Block Malicious and High Risk Ports

To start eliminating any malicious traffic and ensure assets are protected from unauthorized sources we will leverage block templates and assign it to the US West core segment.

1. Go to Templates > Create Template
2. Select type as 'Block'
3. Add ports that are blocked as per the corporate policy. In our example we are blocking vulnerable ports such as TCP 21, TCP 3301, TCP 8080, TCP 8443
4. Name it as Corporate Block Policy and click Create

Now that the Block Template is created, we will assign it to the US West segment

1. Go to Segments > click on the 3 dots at the end > Manage Templates
2. Click on Assign Templates and select the Corporate Block Policy template and click Assign

Please note that the policies defined in the Block Templates will be applied and enforced on the matching assets irrespective of the enforcement state of the Asset (i.e even if the Asset is in Unsecure state)

Progressive Zero-Trust

To ensure the enforcement is without disruption and currently open ports are not disrupted, use progressive zero trust slider to move all core segments to open ports

1. Go to each segment > click on the 3 dots at the end > click on configure policy automation
2. Move the slider on Attack Surface Progressive to Open Ports > Save
3. Repeat the same on all 3 segments

Deploy Inbound Test-Mode

With templates set for blocking malicious ports and allowing inbound essential communications, we will move assets to Inbound Enforcement in Test Mode, applying policies without blocking non-template traffic by-default.

1. Go to each segment > click on the 3 dots at the end > click on configure policy automation
2. Move the slider on Attack Surface Enforcement to Secure All. Ensure Test Mode is selected > Save
3. Repeat the same on all 3 segments

Resolve Violations and Enforce Inbound

Review the paths with Path Candidate Status 'Allowed Template' and 'Denied'. These paths will be Allowed or Denied respectively once the Assets are moved from Inbound Test mode to Inbound Enforce mode.

1. Go to Network Data > Paths
2. Filter by Location=US West, Type=Server, Direction=Inbound, Path Candidate Status=Denied and Allowed(template).
3. Ensure that these are authorized or unauthorized traffic that must be allowed or denied respectively. To allow a path, select the path and click 'Add To Template' and select respective Template > Save

Once the violations are taken care, enforce the Attack Surface

1. Go to each segment > click on the 3 dots at the end > click on configure policy automation
2. Move the slider on Attack Surface Enforcement to Secure All. Ensure Test Mode is unselected > Save
3. Repeat the same on all 3 segments

Run Progress Reports

Generate Reports for Core Segments:

1. Go to Segments, select all segments, and click 'Create Report'.
2. A report request will be sent, and the report will be available in a few minutes.

Download and Review Breach Metrics

1. Navigate to Segments and click 'Reports'.
2. Click the Download icon next to the report.
3. Note the reduction in the breach score.

Reduce Blast Radii

Outbound Internet Access

To ensure access to SaaS and other critical Internet services, we will permit outbound TCP 80/443 and ICMP communications to the Internet for core segments by creating an Outbound Internet Template and applying it to the core segments.

1. Go to Templates > Create Template
2. In Outbound Paths > Add TCP 80, TCP 443, UDP 443 and ICMP to Internet(Public) named network > Create
3. Go to Segments > USWest > Manage Templates > Assign Template > Global Internet Outbound > Assign

Outbound Intranet Access

To ensure seamless enforcement without disruptions and maintain uninterrupted non-system communications, we will permit outbound non-system communications (ports 1024-65535) to the Intranet for core segments.

This will be achieved by creating an outbound Intranet template for non-system communications and applying it to the core segments.

1. Go to Templates > Create Template
2. In Outbound Paths > Add TCP 1024-65535, UDP 1024-65535 to Intranet named network > Create
3. Go to Segments > USWest > Manage Templates > Assign Template > Outbound Non-System Intranet > Assign

Deploy Outbound Test-Mode

With templates set for allowing essential outbound communications, we will move assets to Oubound Enforcement in Test Mode, applying policies without blocking non-template traffic by-default.

1. Go to each segment > click on the 3 dots at the end > click on configure policy automation
2. Move the slider on Blast Radius Enforcement to Secure All. Ensure Test Mode is selected > Save
3. Repeat the same on all 3 segments

Resolve Violations and Enforce

Review the paths with Path Candidate Status 'Allowed Template' and 'Denied'. These paths will be enforced once assets move from Outbound Test Mode to Outbound Enforce Mode.

Review Paths with 'Allowed Template' and 'Denied' Status

1. Navigate to Network Data > Paths.
2. Apply filters:
   • Location = US West
   • Type = Server
   • Direction = Outbound
   • Path Candidate Status = Denied, Allowed (Template)
3. Verify whether traffic is authorized or unauthorized:
   • To allow a path, select it and click 'Add To Template'.
   • Choose the appropriate Template and click 'Save'.

Allow Outbound TCP 80 to SIEM Server

1. Select the Outbound TCP 80 to SIEM Server path.
2. Click 'Add To Template' > 'Create Template' > 'Outbound System Intranet' > 'Create'.
3. Navigate to Segments > US West > Manage Templates.
4. Click 'Assign Template' > 'Outbound System Intranet' > 'Assign'.

Push Updated Policy to Firewall

1. Go to the Assets page.
2. Select All Assets.
3. Click 'Blast Radius' > 'Push to Firewall' to apply the updated policy.

Once violations are addressed, proceed with Attack Surface Enforcement.

Steps to Enforce

1. Navigate to each segment.
2. Click the three dots at the end and select 'Configure Policy Automation'.
3. Adjust the Blast Radius Enforcement slider to 'Secure All'.
4. Ensure Test Mode is unselected, then click 'Save'.
5. Repeat the process for all three segments.

Once the violations are taken care, enforce the Attack Surface

1. Go to each segment > click on the 3 dots at the end > click on configure policy automation
2. Move the slider on Blast Radius Enforcement to Secure All. Ensure Test Mode is unselected > Save
3. Repeat the same on all 3 segments

Run Progress Reports

For all of the core segments run reports to see the progress

1. Go to Segments > Select all segments and click 'Create Report'
2. The report creation request is sent and a report will be ready in a few minutes

Download the progress reports and note the breach metrics.

1. Go to Segments > click on 'Reports'
2. Click on the 'Download icon' next to the report
3. Note the reduction in breach score in the report

Prepare Breach Responses

TBD

Outcome

Before micro-segmentation

Before implementing micro-segmentation, vulnerable ports like SSH and FTP were open between all servers in the enterprise. Additionally, open communications were observed between bastion hosts and servers, production and non-production servers etc, creating a potential for lateral movement in the event of a breach.

After micro-segmentation

By progressively micro-segmenting the production and non-production servers, we have blocked vulnerable ports like FTP, restricted infrastructure and management communications between specific jumpservers and bastion hosts, and significantly reduced the potential for lateral movement in the event of a breach.

This demonstrates the reduced attack surface and blast radius thus preventing any unauthorized communication between Production and Non-Production environments as well as between the servers and internet.

Enforcement Validation

The Xshield Security Platform offers multiple ways to validate security enforcement.

Firewall Logs & Denied Traffic

• Paths & Ports Pages: Show learned paths and ports as Allowed or Denied, ensuring only authorized traffic flows.
• Firewall Logs: Capture dropped traffic due to zero-trust policies, helping identify misconfigurations.
• Policy Assessment: Review paths and ports to confirm policies effectively restrict unauthorized access.
• Fine-Tuning: Use firewall logs to refine policies, ensuring security without disrupting operations.

Conclusion

In this demo lab, progressive microsegmentation helped prevent lateral movement between production and non-production environemnts reducing the attack surface and blast radius by applying zero-trust policies step by step, without disrupting legitimate traffic.

We monitored paths, ports, and firewall logs to ensure only authorized traffic was allowed and adjusted policies based on logged data.

This approach provided scalable, flexible security, ensuring protection while maintaining business continuity.

Overall, it demonstrated how gradual policy enforcement enhances network security with minimal impact.

Lab Teardown

Please refer "Remove Lab Environment" section in the Lab Setup Guide here