Perimeter

4/12/2018
10:30 AM
Avishai Wool
Avishai Wool
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Microsegmentation: Strong Security in Small Packages

A deep dive into how organizations can effectively devise and implement microsegmentation in a software-defined networking data center.

Network segmentation is a best-practice strategy for reducing the attack surface of data center networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware, limiting the potential security risks and damage.

A lack of effective network segmentation has been cited as a contributing factor behind several major data breaches, from the 2013 attack on Target to the recent Equifax breach. But while segmentation enhances an organization's security posture, it also adds complexity and costs — especially in traditional on-premises data centers.

In these hardware-based environments, creating internal zones usually means installing extra firewall appliances to police the traffic flows between zones, which is expensive and time consuming. As a result, segmentation in traditional data centers has usually been limited to creating only a handful of zones.

Microsegmentation Momentum
More recently, the move to virtualized data centers using software-defined networking (SDN) is driving adoption of internal network segmentation. SDN's flexibility enables advanced, granular zoning where data center networks are divided into hundreds or thousands of microsegments. This offers levels of security that were previously prohibitively expensive and complicated to implement. It's no surprise that ESG analyst Jon Oltsik last year reported that 68% of enterprises are using some form of software-based microsegmentation technology to limit lateral exploration of networks by hackers, and make it easier to protect their applications and data.

But while SDN makes segmentation far easier to achieve, implementing an effective microsegmentation strategy presents two key challenges: where to place the borders between the microsegments in the data center; and how to devise and manage the security policies for each of the segments in their network environment?

Network and application traffic in the data center will need to cross multiple segments' security controls to enable the application to function. So, the policies at each control must allow this traffic or the application simply will not work. And the more segments a network has, the more complex these policies become if they are to be effective in supporting business applications while blocking illegitimate traffic.

Starting the Microsegmentation Process
These challenges can be addressed with the right approach. The starting point is to discover all the application flows within your data center. An efficient way of doing this is by using a discovery engine that can identify and group together those flows that have a logical connection to each other — such as those based on shared IP addresses, which indicates the flows that may support the same business application.

This information can be augmented with additional data, such as labels for device or application names that are relevant to the flows. This creates a complete map that identifies the flows, servers, and security devices within the data center that your business applications rely on to function correctly.

Setting Up Segment Borders
Using this map, you can create your segmentation scheme for deciding which servers and systems should be placed in which network segment. This is done by identifying and grouping together servers that support the same business intent or applications. These servers are likely to be in regular communication with each other — typically sharing similar data flows — and can be placed within the same segment to better facilitate their interaction.

Once the scheme is outlined, you can then choose the best places on the data center network to place the security filters (such as virtual firewalls or other security controls) and create secure borders between segments.

When placing the filtering device (or activate a virtualized microsegmentation technology) to create a border between segments, remember that some of your application traffic flows will need to cross that border. Those cross-border flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail. Therefore, you need to establish exactly what will happen to the flows once those filters are introduced.

Policing the Borders
To establish if you need to add or change specific policy rules, and what those rules should be, examine the application flows that were identified in your initial discovery process, noting if a flow already passes through an existing security control. If a given application flow does not currently pass through any security control and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked by the new border, you will need to add a new, explicit policy rule in order to allow the application flow to cross it.

However, if a given flow is already being filtered by a security control, then there is usually no need to add another explicit rule for that flow when you start to segment your network. This process can be repeated until you're satisfied that you have segmented your network to deliver the levels of separation and security that you need.

Managing Holistically
Having deployed your microsegmentation scheme, your next step is to make sure that it works in harmony with the security across your network. Application traffic needs to flow seamlessly across your SDN, in on-premises and cloud environments, so it's critical to confirm that your policies support this.

The most effective way to achieve this is with an automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premises firewalls. This will ensure that the security policies that underpin your segmentation strategy are consistently applied and managed across your entire network estate as well as centrally monitored, with any changes tracked for audit purposes.

Implementing microsegmentation requires careful planning and orchestration if it's to be effective. But when done properly, microsegmentation delivers both a stronger security posture and greater business agility. Sometimes, good things really do come in small packages.

Editor's note: Generic products referred to in this article are available from multiple vendors in the security industry.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin-out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/12/2018 | 12:45:04 PM
Micro-segmentation as design philosophy
The prospect of implementing a new design philosophy may induce groans from those looking to patch, rather than rebuild; but the long-term benefits deserve sober consideration. 

Though the article warns: "...while segmentation enhances an organization's security posture, it also adds complexity [more properly: complication] and costs... "; I think that assumes an outside-in, rather than a truly systemic implementation of the fact-based business rules specific to that organization, which should be used to determine segmentation and sequestering.  Micro-segmentation of the network directed from an informational requirements-based mapping, ought to result in a less complicated (so less costly in terms of added infrastructure), and more importantly dynamically responsive (to dynamic organizational requirements), solution.  This is, after all, a software-defined approach.  It only makes sense to incorporate the application-specific informational requirements system design which is (or ought to be), already serving that organization.
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.