Microsegmentation in the data center
Improved Separation
Microsegmentation breaks a network or data center into various segments to enhance its efficiency or security. The idea behind segmentation became an established technique once virtual local area networks (VLANs) came into use. From the very beginning, security was a central focus for VLAN segmentation, because it divided network domains into smaller parts and then protected movement of data among the parts.
Traditional VLANs quickly reach their limits, however, when confronted with more extreme levels of segmentation, especially with regard to the management of security and configuration settings, because managing these settings becomes increasingly complex as the number of segments grows. Moreover, configuration tends to be rather static, whereas security orients more toward the IP layer of communication control, rather than to the application level.
New Challenges for Security
Perimeter protection alone no longer suffices to secure a network. When a company network or the company data center network (which should be equipped with protection) or an individual VLAN suffers a breach, the attacker gains free reign within the invaded domain and perhaps beyond. Traditionally, protection against breaches has been set up according to the "north-south data traffic" (client to server) principle, with an eye toward protecting incoming data. Once an attacker violates these barriers, the "east-west data traffic" (server to server) within the domain becomes vulnerable. Solutions involving microsegmentation are intended to offer more security and easier configuration.
These solutions are currently offered by various providers, including Cisco (ACI), Unisys (Stealth), and VMware (NSX). The conceptual differences among these offerings are considerable. Cisco is focused on support for virtual and physical platforms. VMware, on the other hand, emphasizes virtualized infrastructure inside its software-defined data center (SDDC). Unisys adds encryption, so communication extending beyond the data center is also protected.
Attacks known as advanced persistent threats (APTs) are becoming ever more sophisticated and more persistent, and they target a greater number of levels. Additionally, countless zero-day exploits take advantage of software vulnerabilities. The result of these dangers is that protecting the external perimeter no longer provides adequate protection. Instead, multiple layers of protection are required to fend off attacks, keep critical systems safe, and safeguard sensitive information. (See also the "Additional Security in Virtual Environments" box.) The security techniques utilized in microsegmentation make it possible to implement security concepts efficiently that substantially reduce risks.
Additional Security in Virtual Environments
Microsegmentation makes it possible to implement more security measures, especially in virtual environments. For example, VMware offers integration of firewalls and vulnerability scanning where policies recommend these components, which means that comprehensive rules that significantly reduce the risk of attacks can be applied to all layers. Granted, even this type of approach cannot guarantee perfect protection for applications, but the rules do serve to increase the level of security, functioning as they do in multiple small segments and protective layers. Additionally, the potential effect of an attack is lessened because it will be confined to a smaller area of the network.
Application Architectures Simplify Segmentation
The practical implementation of microsegmentation depends in large part on the multilayered application architectures commonly in use today, as well as popular applications that consume services via APIs from other applications to create new solutions. Once implemented, microsegmentation lets you move complete applications and groups of applications, as well as individual layers of applications like the web server, the application server, and the database server, into separate segments. The resulting segments are much smaller and more granular than those achieved with established approaches.
A question that quite naturally arises with this method is whether and how an administrator can manage the security rules meaningfully. If you think about a situation involving hundreds of applications with an even greater number of components that could potentially be segmented, then security configuration looks like an administrative nightmare. Even if it were possible to configure effective security rules, the resulting environment would inevitably be very static, because any change would require significant configuration effort – at least at first sight.
In principle, the solution is simple: Declarative security is achieved through policy-based guidelines or best practices that specify how applications are allowed to communicate. These policies do not apply to the network, but to applications in the segments. Because individual applications with a limited set of interfaces are concerned, the approach of choice is white listing, meaning explicit approval for certain types of communication only. For example, particular applications might be given permission to access a database server that functions as the back end for an application on an application server.
This solution no longer involves a static definition of the type of communication that is permitted between specified network segments. Instead, a definition applies to an individual segment and the type of communication this segment is allowed to carry out with applications and other segments. Software then assumes the task of implementing these policies within the IT infrastructure, whether it be a virtualized environment or a network of physical components. Therefore, moving something like a virtual machine does not change policies, but the microsegmentation software will need to take the move into account.
Cisco supports other features, as well. For example an attribute-based configuration has defined attributes that determine how an application will be handled, permitting comparatively generic policies that can then be implemented accordingly – in this case, with Cisco ACI. In each case, the result comprises structures that have become far more flexible and dynamic than ever before, which is why they also play such a fundamental role in the VMware SDDC concept. With respect to microsegmentation, security functions then become a permanent feature of the policies. These flexible policies and the central infrastructure management make up the core of the concept.
Organization Is the Crux of the Matter
A practical consideration for the use of microsegmentation should not be underestimated. In the typical company, different organizational units are responsible for managing policies related to application configuration, network infrastructure, and security. The management of directives thus becomes an organizational challenge that could be addressed by using policy management tools that have different access privileges. As a result, various users would only be permitted to edit particular policy areas.
However, the organization is more sensible and forward-looking in developing software-defined IT infrastructures (e.g., network, storage, data center, etc.) to achieve uniform management of the software-defined environments. Under this kind of management model, the network becomes merely a transport medium that is then built out in accordance with the policies that apply to the software-defined infrastructure.
Buy this article as PDF
(incl. VAT)