Network segmentation is a best-practice strategy for reducing the attack surface of data center networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware, limiting the potential security risks and damage.
A lack of effective network segmentation has been cited as a contributing factor behind several major data breaches, from the 2013 attack on Target to the recent Equifax breach. But while segmentation enhances an organization's security posture, it also adds complexity and costs — especially in traditional on-premises data centers.
In these hardware-based environments, creating internal zones usually means installing extra firewall appliances to police the traffic flows between zones, which is expensive and time consuming. As a result, segmentation in traditional data centers has usually been limited to creating only a handful of zones.
More recently, the move to virtualized data centers using software-defined networking (SDN) is driving adoption of internal network segmentation. SDN's flexibility enables advanced, granular zoning where data center networks are divided into hundreds or thousands of microsegments. This offers levels of security that were previously prohibitively expensive and complicated to implement. It's no surprise that ESG analyst Jon Oltsik last year reported that 68% of enterprises are using some form of software-based microsegmentation technology to limit lateral exploration of networks by hackers, and make it easier to protect their applications and data.
But while SDN makes segmentation far easier to achieve, implementing an effective microsegmentation strategy presents two key challenges: where to place the borders between the microsegments in the data center; and how to devise and manage the security policies for each of the segments in their network environment?
Network and application traffic in the data center will need to cross multiple segments' security controls to enable the application to function. So, the policies at each control must allow this traffic or the application simply will not work. And the more segments a network has, the more complex these policies become if they are to be effective in supporting business applications while blocking illegitimate traffic.
Starting the Microsegmentation Process
These challenges can be addressed with the right approach. The starting point is to discover all the application flows within your data center. An efficient way of doing this is by using a discovery engine that can identify and group together those flows that have a logical connection to each other — such as those based on shared IP addresses, which indicates the flows that may support the same business application.
This information can be augmented with additional data, such as labels for device or application names that are relevant to the flows. This creates a complete map that identifies the flows, servers, and security devices within the data center that your business applications rely on to function correctly.
Setting Up Segment Borders
Using this map, you can create your segmentation scheme for deciding which servers and systems should be placed in which network segment. This is done by identifying and grouping together servers that support the same business intent or applications. These servers are likely to be in regular communication with each other — typically sharing similar data flows — and can be placed within the same segment to better facilitate their interaction.
Once the scheme is outlined, you can then choose the best places on the data center network to place the security filters (such as virtual firewalls or other security controls) and create secure borders between segments.
When placing the filtering device (or activate a virtualized microsegmentation technology) to create a border between segments, remember that some of your application traffic flows will need to cross that border. Those cross-border flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail. Therefore, you need to establish exactly what will happen to the flows once those filters are introduced.
Policing the Borders
To establish if you need to add or change specific policy rules, and what those rules should be, examine the application flows that were identified in your initial discovery process, noting if a flow already passes through an existing security control. If a given application flow does not currently pass through any security control and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked by the new border, you will need to add a new, explicit policy rule in order to allow the application flow to cross it.
However, if a given flow is already being filtered by a security control, then there is usually no need to add another explicit rule for that flow when you start to segment your network. This process can be repeated until you're satisfied that you have segmented your network to deliver the levels of separation and security that you need.
Having deployed your microsegmentation scheme, your next step is to make sure that it works in harmony with the security across your network. Application traffic needs to flow seamlessly across your SDN, in on-premises and cloud environments, so it's critical to confirm that your policies support this.
The most effective way to achieve this is with an automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premises firewalls. This will ensure that the security policies that underpin your segmentation strategy are consistently applied and managed across your entire network estate as well as centrally monitored, with any changes tracked for audit purposes.
Implementing microsegmentation requires careful planning and orchestration if it's to be effective. But when done properly, microsegmentation delivers both a stronger security posture and greater business agility. Sometimes, good things really do come in small packages.
Editor's note: Generic products referred to in this article are available from multiple vendors in the security industry.
Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin-out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for ... View Full Bio