Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Avishai Wool
Avishai Wool
Connect Directly
E-Mail vvv

Microsegmentation: Strong Security in Small Packages

A deep dive into how organizations can effectively devise and implement microsegmentation in a software-defined networking data center.

Network segmentation is a best-practice strategy for reducing the attack surface of data center networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware, limiting the potential security risks and damage.

A lack of effective network segmentation has been cited as a contributing factor behind several major data breaches, from the 2013 attack on Target to the recent Equifax breach. But while segmentation enhances an organization's security posture, it also adds complexity and costs — especially in traditional on-premises data centers.

In these hardware-based environments, creating internal zones usually means installing extra firewall appliances to police the traffic flows between zones, which is expensive and time consuming. As a result, segmentation in traditional data centers has usually been limited to creating only a handful of zones.

Microsegmentation Momentum
More recently, the move to virtualized data centers using software-defined networking (SDN) is driving adoption of internal network segmentation. SDN's flexibility enables advanced, granular zoning where data center networks are divided into hundreds or thousands of microsegments. This offers levels of security that were previously prohibitively expensive and complicated to implement. It's no surprise that ESG analyst Jon Oltsik last year reported that 68% of enterprises are using some form of software-based microsegmentation technology to limit lateral exploration of networks by hackers, and make it easier to protect their applications and data.

But while SDN makes segmentation far easier to achieve, implementing an effective microsegmentation strategy presents two key challenges: where to place the borders between the microsegments in the data center; and how to devise and manage the security policies for each of the segments in their network environment?

Network and application traffic in the data center will need to cross multiple segments' security controls to enable the application to function. So, the policies at each control must allow this traffic or the application simply will not work. And the more segments a network has, the more complex these policies become if they are to be effective in supporting business applications while blocking illegitimate traffic.

Starting the Microsegmentation Process
These challenges can be addressed with the right approach. The starting point is to discover all the application flows within your data center. An efficient way of doing this is by using a discovery engine that can identify and group together those flows that have a logical connection to each other — such as those based on shared IP addresses, which indicates the flows that may support the same business application.

This information can be augmented with additional data, such as labels for device or application names that are relevant to the flows. This creates a complete map that identifies the flows, servers, and security devices within the data center that your business applications rely on to function correctly.

Setting Up Segment Borders
Using this map, you can create your segmentation scheme for deciding which servers and systems should be placed in which network segment. This is done by identifying and grouping together servers that support the same business intent or applications. These servers are likely to be in regular communication with each other — typically sharing similar data flows — and can be placed within the same segment to better facilitate their interaction.

Once the scheme is outlined, you can then choose the best places on the data center network to place the security filters (such as virtual firewalls or other security controls) and create secure borders between segments.

When placing the filtering device (or activate a virtualized microsegmentation technology) to create a border between segments, remember that some of your application traffic flows will need to cross that border. Those cross-border flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail. Therefore, you need to establish exactly what will happen to the flows once those filters are introduced.

Policing the Borders
To establish if you need to add or change specific policy rules, and what those rules should be, examine the application flows that were identified in your initial discovery process, noting if a flow already passes through an existing security control. If a given application flow does not currently pass through any security control and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked by the new border, you will need to add a new, explicit policy rule in order to allow the application flow to cross it.

However, if a given flow is already being filtered by a security control, then there is usually no need to add another explicit rule for that flow when you start to segment your network. This process can be repeated until you're satisfied that you have segmented your network to deliver the levels of separation and security that you need.

Managing Holistically
Having deployed your microsegmentation scheme, your next step is to make sure that it works in harmony with the security across your network. Application traffic needs to flow seamlessly across your SDN, in on-premises and cloud environments, so it's critical to confirm that your policies support this.

The most effective way to achieve this is with an automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premises firewalls. This will ensure that the security policies that underpin your segmentation strategy are consistently applied and managed across your entire network estate as well as centrally monitored, with any changes tracked for audit purposes.

Implementing microsegmentation requires careful planning and orchestration if it's to be effective. But when done properly, microsegmentation delivers both a stronger security posture and greater business agility. Sometimes, good things really do come in small packages.

Editor's note: Generic products referred to in this article are available from multiple vendors in the security industry.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin-out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/12/2018 | 12:45:04 PM
Micro-segmentation as design philosophy
The prospect of implementing a new design philosophy may induce groans from those looking to patch, rather than rebuild; but the long-term benefits deserve sober consideration. 

Though the article warns: "...while segmentation enhances an organization's security posture, it also adds complexity [more properly: complication] and costs... "; I think that assumes an outside-in, rather than a truly systemic implementation of the fact-based business rules specific to that organization, which should be used to determine segmentation and sequestering.  Micro-segmentation of the network directed from an informational requirements-based mapping, ought to result in a less complicated (so less costly in terms of added infrastructure), and more importantly dynamically responsive (to dynamic organizational requirements), solution.  This is, after all, a software-defined approach.  It only makes sense to incorporate the application-specific informational requirements system design which is (or ought to be), already serving that organization.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...