Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Avishai Wool
Avishai Wool
Connect Directly
E-Mail vvv

Microsegmentation: Strong Security in Small Packages

A deep dive into how organizations can effectively devise and implement microsegmentation in a software-defined networking data center.

Network segmentation is a best-practice strategy for reducing the attack surface of data center networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware, limiting the potential security risks and damage.

A lack of effective network segmentation has been cited as a contributing factor behind several major data breaches, from the 2013 attack on Target to the recent Equifax breach. But while segmentation enhances an organization's security posture, it also adds complexity and costs — especially in traditional on-premises data centers.

In these hardware-based environments, creating internal zones usually means installing extra firewall appliances to police the traffic flows between zones, which is expensive and time consuming. As a result, segmentation in traditional data centers has usually been limited to creating only a handful of zones.

Microsegmentation Momentum
More recently, the move to virtualized data centers using software-defined networking (SDN) is driving adoption of internal network segmentation. SDN's flexibility enables advanced, granular zoning where data center networks are divided into hundreds or thousands of microsegments. This offers levels of security that were previously prohibitively expensive and complicated to implement. It's no surprise that ESG analyst Jon Oltsik last year reported that 68% of enterprises are using some form of software-based microsegmentation technology to limit lateral exploration of networks by hackers, and make it easier to protect their applications and data.

But while SDN makes segmentation far easier to achieve, implementing an effective microsegmentation strategy presents two key challenges: where to place the borders between the microsegments in the data center; and how to devise and manage the security policies for each of the segments in their network environment?

Network and application traffic in the data center will need to cross multiple segments' security controls to enable the application to function. So, the policies at each control must allow this traffic or the application simply will not work. And the more segments a network has, the more complex these policies become if they are to be effective in supporting business applications while blocking illegitimate traffic.

Starting the Microsegmentation Process
These challenges can be addressed with the right approach. The starting point is to discover all the application flows within your data center. An efficient way of doing this is by using a discovery engine that can identify and group together those flows that have a logical connection to each other — such as those based on shared IP addresses, which indicates the flows that may support the same business application.

This information can be augmented with additional data, such as labels for device or application names that are relevant to the flows. This creates a complete map that identifies the flows, servers, and security devices within the data center that your business applications rely on to function correctly.

Setting Up Segment Borders
Using this map, you can create your segmentation scheme for deciding which servers and systems should be placed in which network segment. This is done by identifying and grouping together servers that support the same business intent or applications. These servers are likely to be in regular communication with each other — typically sharing similar data flows — and can be placed within the same segment to better facilitate their interaction.

Once the scheme is outlined, you can then choose the best places on the data center network to place the security filters (such as virtual firewalls or other security controls) and create secure borders between segments.

When placing the filtering device (or activate a virtualized microsegmentation technology) to create a border between segments, remember that some of your application traffic flows will need to cross that border. Those cross-border flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail. Therefore, you need to establish exactly what will happen to the flows once those filters are introduced.

Policing the Borders
To establish if you need to add or change specific policy rules, and what those rules should be, examine the application flows that were identified in your initial discovery process, noting if a flow already passes through an existing security control. If a given application flow does not currently pass through any security control and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked by the new border, you will need to add a new, explicit policy rule in order to allow the application flow to cross it.

However, if a given flow is already being filtered by a security control, then there is usually no need to add another explicit rule for that flow when you start to segment your network. This process can be repeated until you're satisfied that you have segmented your network to deliver the levels of separation and security that you need.

Managing Holistically
Having deployed your microsegmentation scheme, your next step is to make sure that it works in harmony with the security across your network. Application traffic needs to flow seamlessly across your SDN, in on-premises and cloud environments, so it's critical to confirm that your policies support this.

The most effective way to achieve this is with an automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premises firewalls. This will ensure that the security policies that underpin your segmentation strategy are consistently applied and managed across your entire network estate as well as centrally monitored, with any changes tracked for audit purposes.

Implementing microsegmentation requires careful planning and orchestration if it's to be effective. But when done properly, microsegmentation delivers both a stronger security posture and greater business agility. Sometimes, good things really do come in small packages.

Editor's note: Generic products referred to in this article are available from multiple vendors in the security industry.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin-out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/12/2018 | 12:45:04 PM
Micro-segmentation as design philosophy
The prospect of implementing a new design philosophy may induce groans from those looking to patch, rather than rebuild; but the long-term benefits deserve sober consideration. 

Though the article warns: "...while segmentation enhances an organization's security posture, it also adds complexity [more properly: complication] and costs... "; I think that assumes an outside-in, rather than a truly systemic implementation of the fact-based business rules specific to that organization, which should be used to determine segmentation and sequestering.  Micro-segmentation of the network directed from an informational requirements-based mapping, ought to result in a less complicated (so less costly in terms of added infrastructure), and more importantly dynamically responsive (to dynamic organizational requirements), solution.  This is, after all, a software-defined approach.  It only makes sense to incorporate the application-specific informational requirements system design which is (or ought to be), already serving that organization.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.