Below are some of the best practices to using Enclave to microsegement your network. We recommend that you read through these best practices before setting up your network.
Labels are an essential building block of Enclave that allows you to quickly and easily change the configuration of your network without interacting with nodes and users. We recommend using labels as much as possible because it provides a necessary abstraction to understand how your network is configured. Good examples of labels are
Web Server Admins,
HR Team. These labels are then assigned to nodes and users. Then, using these same labels, you create your enclaves with them. Now when you need to add a new administration to the
Database Admins, you simply add the label to the user and they have access to the specific networks in question instead of having to modify the enclave directly.
Create enclaves for specific services
Enclaves are how you define the microsegmentation of your network. We recommend creating small, specific enclaves. These enclaves should define a specific task. Some examples of well built examples are:
- Adminstrative database access
- Web server database access
- DevOps SSH access
Each of these enclaves has a specific goal in mind. It then becomes easier to understand your network so when changes need to be performed, you can easily understand what needs to be done. It also becomes much easier to audit security of your network.
Understand the purpose of microsegmentation
Microsegmentation solves the problem of network access, not the problem of authentication for specific services. Allowing a user to access the network space of a database doesn't mean that the user can (or should) access that database. Make sure to provision authentication for your services accordingly outside of Enclave and understand where Enclave fits in your security portfolio.