Microsegmentation: getting granular to improve network security
31 January 2018 | 0
Microsegmentation is a method of creating secure zones in data centres and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It is aimed at making network security more granular.
Microsegmentation, VLANs, firewalls and ACLs
Network segmentation is not new. Companies have relied on firewalls, virtual local area networks (VLAN) and access control lists (ACL) for network segmentation for years. With microsegmentation, policies are applied to individual workloads for greater attack resistance.
“We can do things in software, in a layer that’s decoupled from the underlying hardware. That makes segmentation much easier to deploy”
“Where VLANs let you do very coarse-grained segmentation, microsegmentation lets you do more fine-grained segmentation. So anywhere you need to get down to granular partitioning of traffic, that’s where you’ll find it,” says analyst Zeus Kerravala, founder of ZK Research and a contributor to Network World.
The rise of software-defined networks and network virtualisation has paved the way for microsegmentation. “We can do things in software, in a layer that’s decoupled from the underlying hardware,” Kerravala says. “That makes segmentation much easier to deploy.”
Managing data centre traffic
Traditional firewalls, intrusion prevention systems (IPS) and other security systems are designed to inspect and secure traffic coming into the data centre in a north-south direction. Microsegmentation gives companies greater control over the growing amount of east-west or lateral communication that occurs between servers, bypassing perimeter-focused security tools. If breaches occur, microsegmentation limits potential lateral exploration of networks by hackers.
“Most companies put all their high value security tools in the core of the data centre: firewalls, IPSes. And so the traffic moving north-south has to pass through those firewalls. If it’s moving east-west, it’s bypassing those security tools,” Kerravala says. “You could put firewalls up at every interconnection point, but that would be prohibitively expensive. It’s also not very agile.”
Microsegmentation is gaining momentum, but there are still questions about who should own it. In a large enterprise, a network security engineer might lead the effort. In smaller companies, a team involving security and network operations might spearhead microsegmentation deployments.
“I don’t know if there’s really one group that’s in charge of it. I think it depends what you’re using it for,” Kerravala says. He sees interest from security and network pros.
“I think because it operates as a network overlay, in most cases, it’s easy for security operations to deploy and then run it over the top of the network. And I see network operations people doing it too, as a way to secure IoT devices, for example. Those are really the two primary audiences.”
Benefits and security challenges
With microsegmentation, IT pros can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero-trust security model, a company could set up a policy, for example, that states medical devices can only talk to other medical devices. And if a device or workload moves, the security policies and attributes move with it.
The goal is to decrease the network attack surface: by applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.
Another driver is operational efficiency. Access control lists, routing rules and firewall policies can get unwieldy and introduce a lot of management overhead, making policies difficult to scale in rapidly changing environments.
Microsegmentation is typically done in software, which makes it easier to define fine-grained segments. And with microsegmentation, IT can work to centralise network segmentation policy and reduce the number of firewall rules needed.
Granted, that is no small task – it will not be easy to consolidate years of firewall rules and access control lists and translate them into policies that can be enforced across today’s complex, distributed enterprise environments.
For starters, mapping the connections between workloads, applications, and environments requires visibility that many enterprises lack.
“One of the big challenges with segmentation is you have to know what to segment. My research shows that 50% of companies have little or no confidence that they know what IT devices are on the network. If you don’t even know what devices are on the network, how do you know what kind of segments to create? There’s a lack of visibility into data centre flows,” Kerravala says.
IDG News Service