Converged OT and IT networks, and the proliferation of connected IoT devices, requires a new approach to micro-segmentation.
An administrator is tasked to secure a subset of dynamically discovered IoT and OT devices from critical servers on the network. To meet this requirement the administrator can reference previously created policy constructs such as Asset Groups, Policy Groups and Security Profiles or they can be defined on the fly during policy creation.
One way to accomplish this requirement is to match the source of Device Genre: IoT and OT and match the destination of a previously defined Asset Group that includes the identity of all critical servers. No traffic should be allowed between the source and destination.
To create the policy, navigate to the policy section on the left pane of Cloud Control Center and select Add Policy (figure 1).
Figure 1. Creating a new policy by clicking the Add Policy button.
Give the policy a name and define your source by selecting Add New Source (figure 2). Unless specified by clicking “Make it a Policy Group” Cloud Control Center will automatically create a policy group with an auto generated name based on the policy name. To reference this policy group in different policy it is necessary to custom name the policy group by selecting “Make it a Policy Group” (figure 3).
Figure 2. Specify a policy name, and select a source.
Figure 3. To specify IoT and OT devices, select the source as Devices, Device Genre.
Add the destination in the same way the source was added (figure 4).
Figure 4. Select a destination, in this example, we are using an asset group of critical-servers.
Specifying the security rules are not required in this instance since the IP and protocols the server communicates on were defined during application onboarding (figure 5).
The resulting policy should look like this:
Figure 5. Specify a security rule, in this case, custom application, and specific destination of dc-jumphost, server2, and server1 set to Deny traffic.
Select deploy and the policy will be immediately enforced across all edges of the network.
To review or edit the policy select the policy name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.