Skip to main content

Demo Steps

This guide demonstrates Xshield's micro-segmentation capabilities to prevent lateral movement and enhance security by isolating users.

Use Case

Ensure endpoints are invisible to the rest of the network. This means there will be no communication between the endpoints or from other devices to the endpoints except for the applications allowed. We will achieve this by:

  • Inbound policies to block all communication except for legitimate application/management traffic
  • Outbound policies to access the servers/applications, based on the user login.

Discovery

Asset Discovery

info

The Xshield security platform collects hardware, operating system, network telemetry data, and other tags from the endpoints in the ecosystem to build visibility into the communications across the network.

The lab setup comes with the Xshield agent software already installed, and the endpoints are onboarded to the tenant. You should be able to see the discovered assets and their agent information on the platform.

Viewing Assets

Navigate to:

  1. The Agents page
  2. The Assets page

These pages display the agent and asset details as part of the discovery process.

Agent Discovery View Asset Discovery View

Classify Assets

note

Create Tag rules to auto-assign Location tags based on the asset subnet for easier segmentation and policy enforcement.

Creating Tag Rules

  1. Go to Tags > Tag Rules > Create Tag Rule
  2. Configure the rule:
    • Name: Greenfield
    • Click Add Rule Criteria > Tags > Subnet
    • Enter subnet: 10.100.0.0/24
    • Click Apply Tags > Location > **Greenfield`

Creating Tag Rules

tip

Follow similar steps to create tag rules for other subnets using the mapping below.

SubnetLocation
10.100.0.0/24Greenfield
10.110.0.0/23, 10.120.0.0/21Silver Lake
10.130.0.0/25, 10.140.0.0/22Pinehill

Tag Rules Created

Segmentation Strategy

info

Based on the above classification, we can now start building segments. Agree upon the segments with the customer.

Define Core Segments

Create a segment for all endpoints and individual segments per location using the following criteria:

Segment NameCriteria
All EndpointsType: Endpoint
GreenfieldLocation: Greenfield, Type: Endpoint
Silver LakeLocation: Silver Lake, Type: Endpoint
PinehillLocation: Pinehill, Type: Endpoint

Creating Segments

  1. Go to Segment > Create Segment
  2. For each segment:
    • Enter the name from the table above
    • Set the criteria as specified
    • Set breach impact metrics target as 50

Creating Segments Segments Created

Enrichment

Now that we have defined Core Segments, we will next start defining Named Networks, policies for management communications and Infrastructure communications.

Network Discovery

info

Usually customers have an IP Plan of the network where the IP addresses of management and infrastructure services are usually known. Either use the IP Plan or the Xshield recommendation to define core named networks for Management and Infrastructure services.

The named networks created in this step help map IP addresses to known traffic patterns between sources such as:

  • Active directories
  • DNS servers
  • Jump servers
  • Bastion hosts

Create Named Networks

  1. Go to Named Networks > Create Named Network
  2. Create networks with the following IP ranges:
SubnetNamed Network
10.100.0.0/24Greenfield
10.110.0.0/23, 10.120.0.0/21Silver Lake
10.130.0.0/25, 10.140.0.0/22Pinehill
10.230.0.2/32Citrix Desktops
10.230.0.3/32EMClient
10.230.0.4/32Proxy
10.230.0.5/32AD
10.220.0.2/32TMS-APP
10.220.0.3/32WMS-APP

Creating Named Networks

Named Networks Created

Assign Named Networks

info

We shall apply these named networks to respective segments using the recommendations available at the segment level.

Assignment Steps

  1. For each segment:
    • Click the three dots (⋮) at the end
    • Navigate to Path recommendations > Named Network Assignment
  2. Select the recommended Named Networks with inbound paths
  3. Click Assign

Named Network Assignment - Step 1

Named Network Assignment - Step 2

Management Policy Templates

Based on the discovered network flows, we will define policies for Management communications such as privileged access between endpoints.

info

Management communications typically flow from management servers/tools (like Endpoint Management servers) to managed assets, representing inbound communication from the asset's perspective. Let us leverage Path Template recommendation to create Management templates

Creating Management Templates

  1. For each segment:
    • Click the three dots (⋮) at the end
    • Navigate to Path recommendations > Templates > Inbound
  2. Select path with port 17472
  3. Click Add to Template
  4. Name the template as Management Access - <Location>
  5. Click Save
note

We will define specific policies applicable to each location.

Template Recommendations View Template Assignment View

Infrastructure Policy Templates

info

Infrastructure communications typically flow from many managed assets to a few Infrastructure services/servers, representing outbound communication from the asset's perspective.

We shall define policies for communications between assets and infrastructure services such as:

  • DNS servers
  • Domain controllers
  • Endpoint Management Servers

Creating Infrastructure Template

  1. Go to endpoint segment
  2. Click the three dots (⋮) at the end
  3. Navigate to Path recommendations > Templates > outbound
  4. Select paths to:
    • EMClient
    • AD
    • Proxy
  5. Click Add to Template
  6. Name the template as Infra - Base
  7. Click Save

Infrastructure Template Configuration

Apply Infrastructure and Management Templates to Segments

Now that we have defined the core named networks and templates for management services, we'll attach the templates to their respective segments.

Assign the following templates:

TemplateTarget Segment
Infra - BaseType: Endpoint
Management Access - GreenfieldLocation: Greenfield, Type: Endpoint
Management Access - Silver LakeLocation: Silver Lake, Type: Endpoint
Management Access - PinehillLocation: Pinehill, Type: Endpoint

Visualization and Baseline

note

Named networks and templates are now linked to their respective segments. The Xshield security platform will identify all discovered ports and paths, marking them as allowed or denied based on defined policies.

Visualize Core Segments

Visualize Core segments in the panoptic map to see infrastructure and management networks context:

  1. Go to Segments
  2. For Endpoint Segment:
    • Click Visualize
    • Select Dimension Location

Segment Visualization

  1. Click Blast Radius
  2. Select Dimension Type

Blast Radius Visualization

Analyze Breach Impact Score

  1. Go to Segments
  2. Select Endpoint segment
  3. Click Create Report
  4. Enter a report name
  5. Click Save

Creating Impact Report

info

Reports will be available in a few minutes. Download from Segments > Reports page and note the current breach score.

Impact Report Part 1 Impact Report Part 2

Reduce Attack Surface

Block Malicious and High-Risk Ports

To start eliminating any malicious traffic and ensure assets are protected from unauthorized sources, we will leverage block templates and assign them to the endpoint segment.

  1. Go to Templates > Create Template
  2. Select type as Block
  3. Add ports that are blocked as per the corporate policy. In our example we are blocking vulnerable ports such as:
    • TCP 3389
    • TCP 7680
  4. Name it as Corporate Block Policy and click Create

Now that the Block Template is created, we will assign it to the endpoint segment:

  1. Go to Segments > click on the three dots (⋮) at the end > Manage Templates
  2. Click on Assign Templates
  3. Select the Corporate Block Policy template and click Assign

Corporate Block Policy

important

The policies defined in the Block Templates will be applied and enforced on the matching assets irrespective of the enforcement state of the Asset (i.e., even if the Asset is in Unsecure state).

Progressive Zero-Trust

To ensure enforcement is without disruption and currently open ports are not disrupted, use the progressive zero trust slider to move all core segments to open ports.

  1. Go to each segment > click on the three dots (⋮) at the end > Configure Policy Automation
  2. Select the policy automation as Inbound Test
  3. Move the slider on Attack Surface Progressive to Open Ports
  4. Click Save
note

Repeat these steps for all segments.

Progressive Zero-Trust

Deploy Inbound Test-Mode

With templates set for blocking malicious ports and allowing inbound essential communications, we will move assets to Inbound Enforcement in Test Mode, applying policies without blocking non-template traffic by-default.

  1. Go to endpoint segment > click on the assets count
  2. Select all the assets > Attack Surface > Simulate Secure All

Inbound Test-Mode

Resolve Violations and Enforce Inbound

Review the paths with Path Candidate Status Allowed Template and Denied. These paths will be Allowed or Denied respectively once the Assets are moved from Inbound Test mode to Inbound Enforce mode.

  1. Go to Network Data > Paths
  2. Filter by:
    • Type: Endpoint
    • Direction: Inbound
    • Path Candidate Status: Denied and Allowed(template)
  3. Review each path to determine if it represents authorized or unauthorized traffic
  4. To allow a path:
    • Select the path
    • Click Add to Template
    • Select the appropriate template
    • Click Save

Once all violations are addressed:

  1. Select all assets with Type: Endpoint
  2. Click Attack Surface > Secure All

Enforce Inbound

Run Progress Reports

Breach Impact score for endpoint after Attack surface enforcement

  1. Go to Segments > Select Endpoint segment > Click on Create Report > Enter a report name > Save
  2. Reports will be available in few minutes. Download it from Segments > Reports page
  3. Note the current value of breach score.

Breach Impact Score Breach Impact Score

Configure User Group Segmentation

Users are provisioned through the SCIM API. For more details, refer to the SCIM API documentation.

Activate User Groups

To enable user group segmentation:

  1. Go to User Groups > Groups
  2. Select the following groups:
    • "TMS Users"
    • "WMS Team"
    • "Citrix Desktop Users"
  3. Click Change Status > Active

Activate User Groups

info

It takes a few minutes for the groups to be activated.

User Login to Endpoints

Use the following script to login to different endpoints:

bash /home/ctuser/xshieldUtil/.labs/userseg_lab/user_login.sh

After login, assets will show the logged-in user and their associated groups:

Asset Details

Assign Named Networks to User Groups

  1. Go to User Groups
  2. Assign the following Named Networks:
User GroupNamed Network
TMS UsersTMS-APP
WMS TeamWMS-APP
Citrix Desktop UsersCitrix

Assign Named Network

Configure User Group Policies

To configure the policies:

  1. Go to User Groups
  2. Open the outbound paths
  3. Select the paths with named networks
  4. For each activated group:
    • Create a new template
    • Add the selected paths to the template
    • Assign the template to the corresponding group

Reduce Blast Radii

Deploy Outbound Test-Mode

With templates set for allowing essential outbound communications, we will move assets to Outbound Enforcement in Test Mode, applying policies without blocking non-template traffic by default.

  1. Go to each segment > click on Assets
  2. Select all assets > Blast Radius > Simulate Secure All
  3. Repeat these steps for all segments

Blast Radius

Resolve Violations and Enforce Outbound

Review the paths with Path Candidate Status Allowed Template and Denied. These paths will be Allowed or Denied respectively once the Assets are moved from Inbound Test mode to Inbound Enforce mode.

  1. Go to Network Data > Paths
  2. Filter by:
    • Type: Endpoint
    • Direction: Outbound
    • Path Candidate Status: Denied and Allowed(template)
  3. Review each path to determine if it represents authorized or unauthorized traffic
  4. To allow an authorized path:
    • Select the path
    • Click Add to Template
    • Select the appropriate template
    • Click Save

Enforce Blast Radius

Once all violations are addressed:

  1. Select all assets with Type: Endpoint
  2. Click Blast Radius > Secure All

Check Breach Impact Score After Blast Radius Enforcement

  1. Go to Segments > select Endpoint segment
  2. Click Create Report
  3. Enter a report name
  4. Click Save
info

Reports will be available in a few minutes. Download from Segments > Reports page and note the current breach score.

Breach Impact Score Breach Impact Score

Prepare Breach Responses

This section is under development.

Outcome

Before Micro-segmentation

The initial state of the network had several security concerns:

  • Endpoint communications were wide open
  • Vulnerable ports like RDP were accessible between all endpoints/servers
  • Endpoints provided unrestricted lateral movement across the network
  • The network had a critical breach impact score

After Micro-segmentation

By progressively segmenting the network based on locations and user groups, we achieved:

  1. Controlled Access

    • All incoming connections are denied by default
    • Only explicitly approved traffic is allowed
    • This includes critical application functions and management purposes

  2. User-based Segmentation

    • Users are provided access only to specific servers and applications
    • Access is based on their role and requirements

  3. Improved Security Posture

    • Network and user group segmentation minimized the potential blast radius
    • Breach impact score improved from critical to medium

Enforcement Validation

The Xshield Security Platform offers multiple ways to validate security enforcement:

Monitoring and Validation Tools

  1. Paths & Ports Pages

    • Shows learned paths and ports as Allowed or Denied
    • Ensures only authorized traffic flows

  2. Firewall Logs

    • Captures dropped traffic due to zero-trust policies
    • Helps identify misconfigurations

  3. Policy Assessment

    • Review paths and ports
    • Confirm policies effectively restrict unauthorized access

  4. Fine-Tuning

    • Use firewall logs to refine policies
    • Ensure security without disrupting operations

Conclusion

This demo lab demonstrated how progressive micro-segmentation can enhance network security:

  1. Progressive Implementation

    • Applied zero-trust policies step by step
    • Reduced attack surface and blast radius
    • Maintained legitimate traffic flow

  2. Continuous Monitoring

    • Tracked paths, ports, and firewall logs
    • Ensured only authorized traffic was allowed
    • Adjusted policies based on logged data

  3. Effective Security Enhancement

    • Successfully implemented endpoint and user group policies
    • Improved network security with minimal operational impact

Lab Teardown

Please refer to the Remove Lab Environment section in the Lab Setup Guide.