microsegmentation, security

How microsegmentation helps with security

shaane syed / 06.27.16

Guest post by Matthew Pascucci, Frontline Sentinel

There are many uses for microsegmentation, which we spoke about in our last article, but the first use case we’re going dig into more is: security. This is the most popular use case when it comes to microsegmentation and many other use cases build off it as a foundation. When using microsegmentation for security you’re able to reduce the attack surface within your network and limit what attackers can exploit. Using software-based segmentation as an overlay, on top of your current network, allows for a more flexible design with segmentation being used across the enterprise. This also allows for workload segmentation within layer 2 that would normally take a choke point to have filtered. Using segmentation that doesn’t require static IP addresses allows for automation of security with the added benefit of allowing your architecture to continue being scalable and flexible. Let’s discuss this security use case in a more detail.

Architecture Mindshift

In today’s network, security is normally laid out to achieve filtering at choke points placed strategically throughout the network and forces traffic to be hair-pinned up north for security filtering. This can create additional hops in your routing, a bottleneck and the potential to miss traffic that isn’t within range to be filtered by a device that high in your network stack. Also, most times this leaves segmentation to layer 2 VLANs which allow far too many devices to be connected on one segment.

Using software based microsegmentation allows administrators to orchestrate the native firewalls already built in on all servers and cloud workloads they’re looking to add additional security and segmentation to, without having to rely on old-school networking architecture to hold them back. With CloudPassage Halo you simply deploy agents on the protected workloads  and define the policy in the Halo Security Orchestration Engine. This allows administrators to create custom filtering policies on a granular level. No longer do you need a choke point device to have traffic sent towards to make these security decisions for you.  As the firewalling is done on the workload itself, it allows filtering to be as granular and as close to the target system as possible.

With these policies in place it also creates the opportunity for enterprises to protect against any malicious traffic hiding in the masses of east-west traffic passing through their network. In the past, if there wasn’t the ability to have traffic sent to a filtering device up north in your environment the traffic would pass through data centers untouched by security. We relied on spans to gather this data and layer 2 VLANs to segment it. When using CloudPassage, admins are now able to wrap workloads with detailed microsegmentation that doesn’t rely on traditional networking to protect them. The limitations of traditional networking gave the advantage to attackers, but with CloudPassage you can take it back.

Zero Trust Zones

Building off the architecture piece, the creation of zero-trust zones is where an organization wants to strive for in its design. Forrester describes zero trust as a zone that’s “never trusted, always verified” and means that today any traffic in your network has the potential to be malicious. Creating these zones in your network means that you have to segment your traffic to only what’s needed between hosts. This takes time, but with CloudPassage you’re able to discover and visualize the traffic occurring between hosts to get an understanding of what traffic should legitimately be passed and limit this traffic to only what’s absolutely mandatory between hosts.

This also means that what is allowed through the policy should be filtered in case the traffic is malicious in nature. As an example, application servers on a particular VLAN typically have no need to speak to each other. In many cases these systems are speaking directly to web tier and database tier and potentially backup servers. In today’s network if all these application servers are on the same VLAN they have the unfettered ability to communicate with each other, even if they don’t have a need to. This is how attackers can pivot through a network after compromising one host. With zero trust zones an administrator can lock down how these applications servers communicate and push policy to enforce it. When this is done, even though servers are on the same VLAN they won’t be able to speak to each other. This is in essence creating zero trust in your network.

Automation of Security

Last, but not least the automation of security is becoming a big part of today’s network. With the adoption of agile delivery methods and DevOps especially, the ability to be nimble when creating systems and networks has become critical. Most security tools, especially traditional network security and firewall tools struggle with this move to automation and orchestration. With CloudPassage Halo you’re able to tag a host with a policy and have it follow the system no matter where it ends up in the network. This means a new system can be spun up through automation, with pre-defined security policy automatically attached, so that security isn’t missed from the beginning and if systems are moved, the policies follow. In a virtualized or cloud environment this is huge. Many times if a system is moved there are new firewall rules that need to be created or old firewall rules that need to be deleted. This doesn’t always happen quickly and in some cases, with firewall rule deletions, it never happens. The automation of security through CloudPassage Halo allows for all this to be done from the start and throughout the life of the host.

Securing your network is the most important use case of microsegmentation and allows other use cases to build off it. Creating segmentation that starts from a zero-trust model, with automation and orchestration at it’s heart, allows for an organization to gain the most from their microsegmentation efforts.

Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@frontlinesentinel.com.