VPN-based Micro-Segmentation in Industrial Networks

Many devices in environments such as industrial automation and the medical domain lack sufficient security features, e.g., authentication and encryption, due to their long lifetimes and specialized hardware. Such legacy devices require additional measures to compensate for missing security features and to secure operations against attacks.

Dividing the network into smaller logical segments allows for granular control of network access and flows. With segmentation, only authorized endpoints can access resources on that segment. Segments can vary in size, covering, e.g., control devices on the different field levels. Segments can even be as minimal as to cover individual application flows, referred to as microsegmentation.

In the scope of this research project, we aim to use Virtual Private Networks (VPNs) as a means of enforcing micro-segmentation. However, VPNs require configuration, which can be complex and timeconsuming for large networks.

The goal of this project is to implement an algorithm that passively learns the communication relations in the network using network traces and segments the network into micro-segments. Using micro-segmentation, we are able to closely monitor traffic within each segment. Therefore, we can detect and react to anomalies caused, for example, by an attacker. By creating VPN-configurations for each assigned micro-segment in an automated manner, we are able to reduce the overall required VPN-configuration overhead.