Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Forescout: 5 Steps to Zero Trust Microsegmentation for Campus Networks

Forescout
07/06/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


by only allowing verified clients access to resources which they are authorized to use. In doing so, not only do we limit the attack vectors to the device, but in the event it becomes compromised, we can greatly reduce the blast radius. It all sounds great, but you're no stranger to the game. Challenges lay ahead. Hi, welcome to Forefront. I'm Nixon Kada, an engineer at Forescout. In this episode, we'll be going over five steps to aid in the planning, design, and deployment of your microsegmentation policies for the campus. Let's do it. We start with Discover and Identify, where we essentially want to account for all the players on the field. In order to design policies which provide only necessary communication based on role, we need to understand what devices, users, and applications are actually out there. Without that information, we can't possibly have the confidence needed to design the correct policies. First up are devices, since they are the direct touchpoint to the network. Just as users, devices need access to resources, so it's important that we understand their identity in order to make informed decisions about what access they need. A key part of a device's identity is its function or role, whether it be a mobile phone, workstation, IP camera, or any one of the growing number of network-connected devices out there. Next up is the operating system, which can not only help shed light on the role of a device, but also help us better understand the requirements. For example, a Windows client will access a different patch management server than your macOS clients. Lastly, devices from different vendors, especially IoT and OT devices, will have different requirements that you need to consider. Let's move on to the posture of a device. This can act as a condition for access to resources, if healthy. If not, it can lead to a response which restricts or removes that access entirely. There are three key factors in deciding a device's security posture. One is the method it used to authorize to the network. This can be either 802.1X, device enrollment and management solutions, device fingerprinting, or even a simple MAC address bypass list. Next is whether or not it adheres to your compliance policies. Are your security agents installed? Are all your patches applied? Lastly is the risk the device poses to the organization. This can be from exposed vulnerabilities, malicious behavior, or threat detections. So whereas identity is the mostly static information that helps decide what resources a device should access, posture is the dynamic information which decides if that access should even be granted at all. Now gathering this information is no easy task. Identity can usually be helped by having discovery tools or network access control solutions. Posture usually falls to a range of security tools. Whatever the case, all this information needs to flow up to your policy decision point, where it can be used to help decide access. Next up are users, where we're going to look to apply the same concepts of least privilege access. To do that, there's some information we'll need to gather in order to make those decisions. We'll begin with user entitlements. These will help us build the base rule sets needed. Some common items which fall under entitlement are business units. These can be thought of as a high-level grouping for common services that all members need. For example, corporate employees having access to the HR system or IT support to the ticketing system. Job function will help decide based on the role of the user. For example, the physical security team having access to the surveillance system. And for sensitive resources, the clearance level of the user might also factor in. We might also want to consider some of the more dynamic contexts around the user, such as which authentication method is being used, if any, which lets us know how trustworthy the session is. And just like devices, users can have a risk score associated with them as well. This might reflect on user behavior or any detected threat events. So how do we get this information? Well, identity access management brokers or authenticated session details are pretty good at providing the user account name. Now to associate a user to a device, we might need to have manageability of that device in order to query and find out who the logged in user is. Regardless of the method, once we have that user account name, we usually have to query some sort of database, such as Active Directory or the personnel system, in order to get the entitlement information. The final piece for us to discover are applications or workloads. Now since we're focused on micro segmentation in the campus, we're going to keep it simple and treat applications as resources that clients will access. Given that, there's just three simple things we'll need to know. One is which host the apps are running on. Two is which ports they're being accessed over. And three are the different protocols in use. Now you can make some pretty reliable guesses as to which applications are out there if you have visibility of the traffic, especially at the application layer. Additionally, if you know the host's identity, you might be able to find out which services are running on it. Next up is mapping the data flows, where we want to evaluate what is currently in use so we may better understand what the potential access requirements might be. This data often comes from monitoring network traffic, whether that be the raw packets seen through a switch or analyzing flow data. It's important to not only just capture the north-south traffic, but also the lateral east-west movement as well. Additionally, your capture period should be long enough to account for monthly or quarterly scheduled workloads. Now once you have those communication flows, they should be enriched by mapping the data from the previous section of Discover and Identify. So what does this look like? Well, we start with our basic record of a source, destination, and a port, which doesn't really tell us much. However, once we overlay the data, we see that the source is actually a Windows PC logged in by Bob Hodges, and he's from accounting. And the destination he's trying to reach is actually a database server over SSH, which leads us to the question, does Bob from accounting really need SSH access to the database server? Being able to consolidate this information into a single record is immensely helpful in the investigative process. Having insight into which devices and users are accessing which services and where will not only help with building the correct policies, but will help audit their effectiveness down the road. Time to get started on what we came here to do, policy design. We did our homework, so now let's put it all together and figure out what are the requirements each device and user needs to do their job, and only that. So we'll be assuming that these rules will go against the backdrop of an implicit deny-all. So how do we figure out our policy requirements? We'll be consulting all the information we gathered so far, as well as doing some investigative work. We'll be aided by those enriched data flows, which gives us a current baseline. Now again, that doesn't mean that traffic is absolutely required, but it does mean that it should be considered. We then have documentation, which can specifically state network service requirements for things like IoT and OT devices. Although it can be time intensive, surveying your teams for a list of resources they use can help cover your grounds. Lastly, review existing ACL and firewall rules in your environment. They might certainly need amendments, but they'll help make sure that important production workflows don't fall through the cracks. Now that we have our requirements, we just need to figure out where are the enforcement points in our network. This, of course, will depend greatly on which technologies are in play, as well as how the traffic traverses through your network. Some common points might be client firewalls, the edge, distribution, or core layers, or the many firewalls dispersed throughout your network. In truth, there's a lot to unpack, and every environment will be unique, but there are some common things we can consider. Software-based controls can work well on managed IT clients. However, you might want to consider how to apply policies to IoT and OT devices. Enforcement closest to the edge is ideal. However, can your switches handle the TCAM loads, or do they have other modern blocking capabilities? Are your enforcement points device context aware so that they know which policies to apply? If not, is there some other system which can inform them? Lastly, a layering strategy might be needed, which has different policy enforcement points for lateral, cross-zone, or outbound traffic. Now that we have our policy proposals, we do the responsible thing and test them, not only to validate their effectiveness, but also make sure they don't block important production workflows. You can do this by having your policy enforcement points set to log-only mode, wherever they may be, whether it's at the switch level, client-side firewall, or at the core distribution layers. Aggregate all those logs and make sure that nothing is being blocked which shouldn't. If you have the resources, you can also consider a test environment. Here, you might be mirroring your production traffic from your firewalls or from your core switches to a clone device, which has your policy proposals enabled. Keep in mind, having a holistic view of the entire network throughout this process is a lot more effective than only looking at specific enforcement points. During this simulation phase, it might be time to start thinking about the more not-so-fun stuff, like the more operational aspects of your deployment. Things like having rollback processes just in case something critical is being blocked, or trying to figure out how this new design fits into your change control procedures. Once you're satisfied with the effect your policies have in simulated mode, it's time to gradually deploy them into production. IoT devices are great candidates to start with, as their requirements are generally pretty straightforward. They can really help your teams build confidence and get into their groove. In any event, you've probably been down this road before. Take the gradual approach and any problems will be more manageable. It's a good idea that once your policies are rolled out, to review your denied traffic logs every now and then. Just because a problem isn't being brought to your attention, doesn't mean it isn't lurking in the background. Requirements will likely to have been missed, and that's okay. Have a good process around reviewing and allowing for exceptions, and your policies will remain tidy and effective in the long term. And that wraps up our five steps to help guide you in designing your zero-trust micro-segmentation policies for the campus. We began with discovering and identifying all devices, users, and applications to be accounted for. Also, this allows us to dynamically apply policies later on. We then mapped the data flows with that enriched context, so that we can better understand the access requirements. Next, we got into policy design, where we took all that information into consideration, as well as planning for our policy enforcement points. Next, we tested and simulated our policy deployment, to give us the confidence to avoid any unforeseen impacts to production. And in the end, we gradually deployed all our rules and monitored them for effectiveness. We hope you found this guide useful, and wish you success in the road ahead. Thank you. If you're interested in seeing how Forescout can help with these steps, check out the link in the comment below.

TL;DR

  • Microsegmentation requires comprehensive discovery of devices, users, and applications before any policy design can begin—identity and posture data must flow to your policy decision point.
  • Device posture combines authentication method, compliance status, and risk scoring to dynamically determine whether access should be granted, even if identity permits it.
  • Traffic flow analysis must capture both north-south and east-west movement over extended periods, then be enriched with identity context to reveal actual access patterns.
  • Policy enforcement points vary by environment—software controls suit managed IT clients, but IoT and OT devices typically require network-level enforcement at the edge or distribution layer.

Discovery and Identity as the Foundation

The tutorial establishes that effective microsegmentation begins with comprehensive asset discovery. Organizations must account for all devices, users, and applications before designing policies. For devices, this means understanding function, operating system, and vendor-specific requirements—particularly critical for IoT and OT equipment. Device posture adds a dynamic layer, incorporating authentication method, compliance status, and risk scoring to determine whether access should be granted at all. User entitlements follow similar principles, mapping business units, job functions, and clearance levels to build baseline rule sets. The presenter emphasizes that without this foundational visibility, organizations cannot design policies with confidence.

From Traffic Analysis to Policy Enforcement

With discovery complete, the methodology moves to mapping data flows by monitoring network traffic—both north-south and lateral east-west movement—over a period long enough to capture scheduled workloads. Raw traffic records become actionable when enriched with identity context, transforming a simple source-destination-port entry into a meaningful question: does Bob from accounting actually need SSH access to the database server? Policy design then consolidates requirements from enriched flows, vendor documentation, team surveys, and existing ACLs. The tutorial addresses enforcement point selection, noting that software controls work well for managed IT clients but IoT devices require network-level enforcement. A simulation phase using log-only mode validates policies before gradual production deployment, with ongoing denied-traffic review ensuring long-term effectiveness.

Chapters

0:00 - Introduction to Microsegmentation
0:43 - Step 1: Discover and Identify
3:31 - Understanding User Entitlements
5:12 - Discovering Applications and Workloads
5:54 - Step 2: Mapping Data Flows
7:33 - Step 3: Policy Design
9:48 - Step 4: Testing and Simulation
11:02 - Step 5: Gradual Deployment
11:51 - Summary and Conclusion

Key Quotes

0:00 "Network microsegmentation really embraces the idea of least privilege access by only allowing verified clients access to resources which they are authorized to use."
2:53 "Whereas identity is the mostly static information that helps decide what resources a device should access, posture is the dynamic information which decides if that access should even be granted at all."
7:09 "Does Bob from accounting really need SSH access to the database server? ..."
11:39 "Requirements will likely to have been missed, and that's okay. Have a good process around reviewing and allowing for exceptions, and your policies will remain tidy and effective in the long term."

FAQ

How long should traffic monitoring run before designing microsegmentation policies?

The capture period should be long enough to account for monthly or quarterly scheduled workloads, ensuring that infrequent but legitimate traffic patterns are included in your baseline analysis.

What should organizations do when microsegmentation policies block legitimate traffic after deployment?

Regularly review denied traffic logs even when no problems are reported, as issues may lurk undetected. Establish a clear process for reviewing and allowing exceptions to keep policies effective long-term.


Categories:
  • » Webinar Library » Forescout
  • » Cybersecurity » Network Security
  • » Cybersecurity » Zero Trust
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Zero Trust
  • Network Security
  • OT
  • IoT Security
  • Technical Deep Dive
  • How-To
  • Zero Trust Architecture
  • Network Microsegmentation
  • Device Identity and Posture
  • User Entitlements
  • Traffic Flow Analysis
  • Policy Design
  • Network Access Control
  • IoT and OT Security
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Forescout: 5 Steps to Zero Trust Microsegmentation for Campus Networks

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Level Security Team for Unmatched Defense Success
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-level-security-team-for-unmatched-defense-success/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Innovations in Data Privacy and Digital Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-innovations-in-data-privacy-and-digital-protection/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting a Championship-Level Security Team for Unmatched Defense Success

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version