Appearance

Best Practices

Below are some of the best practices to using Enclave to microsegement your network. We recommend that you read through these best practices before setting up your network.

Use labels

Labels are an essential building block of Enclave that allows you to quickly and easily change the configuration of your network without interacting with nodes and users. We recommend using labels as much as possible because it provides a necessary abstraction to understand how your network is configured. Good examples of labels are Databases, Database Admins, Web Servers, Web Server Admins, DevOps and HR Team. These labels are then assigned to nodes and users. Then, using these same labels, you create your enclaves with them. Now when you need to add a new administration to the Database Admins, you simply add the label to the user and they have access to the specific networks in question instead of having to modify the enclave directly.

Create enclaves for specific services

Enclaves are how you define the microsegmentation of your network. We recommend creating small, specific enclaves. These enclaves should define a specific task. Some examples of well built examples are:

  • Adminstrative database access
  • Web server database access
  • DevOps SSH access

Each of these enclaves has a specific goal in mind. It then becomes easier to understand your network so when changes need to be performed, you can easily understand what needs to be done. It also becomes much easier to audit security of your network.

Lock down existing networks after migration

After migrating your network to Enclave, make sure to lock down any existing networking. This means that you should remove all access to your network that isn't explicitly defined in Enclave. This will help you understand what is being accessed and by whom. It also helps you understand what services are being used and which ones are not. In particular you should pay attention to inter subnet traffic. This is a common vector for attacks and should be locked down as much as possible. For a windows machine this would involve adding a windows firewall rule to only allow traffic from your enclave subnet. On a linux machine, you might use iptables to achieve the same goal.

Understand the purpose of microsegmentation

Microsegmentation solves the problem of network access, not the problem of authentication for specific services. Allowing a user to access the network space of a database doesn't mean that the user can (or should) access that database. Make sure to provision authentication for your services accordingly outside of Enclave and understand where Enclave fits in your security portfolio.