Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/29/2020
10:00 AM
Trevor Pott
Trevor Pott
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Digital Distancing with Microsegmentation

Physical distancing has blunted a virus's impact; the same idea can be applied to computers and networks to minimize breaches, attacks, and infections.

Social distancing has recently entered the popular lexicon in a big way and, by now, we are all intimately familiar with the idea of keeping a safe distance from others to minimize health threats. There are a lot of parallels between biological epidemiology and information security, and the concept of "digital distancing" as one layer in a multi-layered approach to protection doesn't just apply to in-person interactions.

As with social distancing, the basic concept behind microsegmentation is to limit as much unnecessary contact as possible. Most computers must only talk to a very limited subset of other computers, and that's where microsegmentation comes in as the social distancing of computer systems. 

How It Works
Microsegmentation improves data center security by controlling the network traffic into and out of a network connection. Ultimately, the goal of microsegmentation is to implement Zero Trust. 

Done properly, microsegmentation is effectively a whitelist for network traffic. This means that systems on any given network can strictly communicate with the specific systems they need to communicate with, in the manner they are supposed to communicate, and nothing else. With connections and communications so regimented, microsegmentation is among the best protections we have today against lateral compromise.

This allows microsegmentation administrators to protect whatever is on the other end of that network connection from whatever else is on the network. It also allows everything else on the network to receive a basic level of protection from whatever might be on the other end of that network connection.

This is a huge change from the "eggshell computing" model in which all defenses are concentrated at the perimeter (the eggshell) but everything behind that edge is wide open (the soft insides of the egg). Eggshell computing is ineffective; attackers have used lateral spread from an initial point of compromise for decades and it is critical that east-west defenses exist in data centers alongside the more traditional north-south ones. 

Can You Get Too Isolated?
In more advanced implementations, microsegmentation moves beyond what is basically just another firewall run by a different team and adds network overlays. With a combination of overlays and ACLs, it is possible to restrict all traffic in and out of a specific system so that only those other systems that are supposed to receive it can even see that traffic, let alone respond to it.

In the real world, however, most systems cannot realistically be isolated such that they only communicate with peer systems in an east-west manner within the data center. At the very least, they must reach out to something, somewhere to get security updates. Well-designed microsegmentation systems offer the ability to place virtual – or, increasingly, containerized – firewalls at the edge of a given microsegment so that any traffic that leaves the segment passes through that firewall.

This approach allows a system to be isolated as much as is practicable – only systems which absolutely need to communicate among themselves are attached to a given network segment – while still offering routing beyond that segment. Passing traffic in and out of that segment through a firewall (or any other network security functions you wish to include) provides an additional – and increasingly necessary – level of protection that isn't easily achieved with only ACLs and network overlays. 

The ability to securely add a server or virtual machine anywhere on the network dramatically increases the flexibility of workload placement. Common experience with microsegmentation shows that adoption is frequently tied to the popularity of distributed applications. In some cases, demand for distributed applications drives the need to implement microsegmentation. In other cases, the availability of microsegmentation opens the door to distributed applications that weren't realistic before.

Distributed applications, like all applications, have varying levels of resiliency to failure. The widespread adoption of distributed applications can magnify the scope of impact of a switch failure because that switch may potentially be hosting parts of multiple applications or services. Redundancy is always a good plan in IT, but it gains new urgency when microsegmentation is deployed in earnest.

If You Must Make Changes, Make All Changes
Architecture and planning are key to successful microsegmentation deployments. If you haven't implemented microsegmentation before, ensure that your infrastructure can support significantly more microsegments than you think you're going to need, as growth of new functionality within an organization can be unpredictable. This means ensuring that all relevant components (and management software) can handle the scale you will require.

Network equipment – switches, routers and virtual switches – typically have a limited capability to filter, restrict, or encapsulate traffic. Deep Packet Inspection (DPI), SSL/TLS proxying, and many other information security capabilities still require traffic to pass through (or at least be mirrored to) more capable defenses, such as an enterprise-class firewall.

Pay attention to what the ongoing management overhead of the proposed microsegmentation scheme looks like. This is also a good time to talk to the vendor about software-defined LANs (SD-LANs) because if you're going to upend your entire network management approach, you might as well get all the automation and orchestration handled at once. Chances are you won't be making a change this big for at least another decade.

Microsegmentation has a justified reputation for being difficult to implement, more than a little bit of a pain to manage and, as a result, rather expensive. It has been this way for years and, if implemented incorrectly, can still be so today.

No Longer a Luxury
Microsegmentation does not have to be a nightmare to implement, however. Well-planned implementations architected by experienced professionals can not only be successful, but can significantly increase an organization's ability to respond to unexpected change, ultimately proving to be of financial benefit. 

It is understandable you might not have implemented microsegmentation if you have a massive, sprawling network with decades of technical debt. But from an information security perspective, nobody should be deploying any new networks today without microsegmentation. Microsegmentation is no longer some niche, emerging feature. It should be considered a fundamental capability for both networking agility and information security today.

There is no end to the struggle of attacker and defender in the IT space, as attackers get better at rapidly spreading throughout a network every year. Minimizing contact between systems using digital distancing is an obvious tool available to organizations to reduce the scope of compromise when those inevitable compromise events do happen.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Trevor Pott is a Product Marketing Director at Juniper Networks. Trevor has more than 20 years of experience as a systems and network administrator. From DOS administration to cloud native information security, Trevor has deep security knowledge and a career that matches the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.