Microsegmentation as a term refers to the ability to segment compute, storage and network into one virtual zone in order to control in and outbound traffic in both north-south as well as east-west direction. The main aim of microsegmentation is to significantly increase security by containing threats within a small(er) area – Zero Trust approach.
Breaches in security are well documented in the press nowadays, and with the increase of digital (in particularly automation and full connectivity) its seems that attacks exploiting unknown vulnerabilities are one of the key threats organisation have to protect themselves against.
In a 2015 Forrester study software exploits are with ~ 37% of all attacks top the list of the most used attacked mechanisms. With the rise of so-called Exploit Kit’s many environments are increasingly at risk of being successfully attacked without identification. Stopping an attack that us using an exploit – like running a remote admin command on a host without providing an admin password – is only possible if that exploit is known at the time of attack.
If the attacker is exploiting an unknown vulnerability organisations are blind and there is a possibility of further internal attacks from within. Some attackers wait hours, days of even weeks to exploit a successful breach by installing command & control centre to try and attack hosts that are reachable within their trusted zones.
The Zero Trust approach, outlined by Forrester, is trying to address this by promoting “never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any object —regardless of what it is and its location on, or relative to the network setup – ie being in the same zone.
Until recently we used a well tried and tested blueprint when it came to designing a secure infrastructure for online applications : a 3-tiered based blueprint that relied on “trust zones” as well as on physical firewalls (amongst other components like reverse-proxy, intrusion detection system, intrusion prevention system) that controlled and managed all in and outbound traffic.
In detail we were used to configure Trust Zones where a physical network would allow for grouping of machines (physical / virtual) into a zone. That group would then be related to a physical firewall port and / or a virtual switch port-group and / or a VLAN. This will allow for firewall controlled communication between zones – the so-called north-south control.
However, crucially east-west there is no firewall controlled communication. This means that in case of a successful exploit of an unknown vulnerability the attacker can setup control centre (command & control) either on the first host or can move within the zone to a different host.
As the title says, hosts that are within the zone implicitly trust each other, meaning that an attacker can move from host to host without traversing a firewall and or other intrusion detection systems. Of course there are ways to protect within a zone or you can create a zone per server. However, this has significant restrictions as it will push the management overhead and cost through the roof.
Next to the fact that our traditional approach is limiting our ability to control an intrusion it does create significant headaches during setup and during operations, as each application has to be mapped against tier as well as IP/port/protocol usage. How many times has an application failed because certain ports were not “opened” on the firewall, and how many landscape have “all doors open” as an application uses dynamic port mappings and / or firewalls are being “opened” too much.
A trusted zone model combined with stateful inspection based firewalls (as well as anti-malware and anti-virus protection) defends well against known attacks. However in case of an attack using an unknown vulnerability a trusted zone model combined with stateful inspection based firewalls cannot stop the attacker from attacking other trusting hosts.
A better way to control and contain exploits is to deploy a zero trust approach by using a microsegmentation approach. Microsegmentation is only really possible as network virtualisation increases in maturity and deployment. Using software based networking capabilities in a virtual environment it is possible to track, control, monitor, log every flow, package between any hosts – north, south, east and west.
In a microsegmentation approach every single virtual server has its own firewall – typically a stateful – that can filter, log, monitor every package that either enters or leaves the server.
As the firewall is “below” the network there are no “Trust Zone” - Security is always present – per flow, per packet, stateful inspection with policy actions and detailed logging as well as per virtual machine, per virtual network interface. The physical network acts only as a physical connector.
This approach then allows to manage security not on an IP but on a virtual server / machine level. Security works on a basic concept of a group in which objects are being assigned to which specific policies are being applied. Using microsegmentation and in a virtual network environment these groups can now include virtual server / machines.
This has several advantages:
- It is simpler as there is no mapping between physical firewall and NIC port needed It can “grow” automatically, meaning based on policy new virtual server / machines can simply be added via standard templating and group policies
- It can allow to run production and non-produce side by side as virtual server / machine based groups will separate each virtual server / machine
- There is no limitation regarding connecting to a distributed virtual switch (DVS)
- It does not matter which port group connect to the virtual server / machine and vice versa
- Next to the ability to manage security from an virtual server / machine perspective and not just and IP/port level, is the ability to go up one level – to manage it based on application and user
- There are some products in the market – physical as well as virtual – that allows to construct security truly top-down
Things to consider
The implication is that the network topology as well as logical design, ie routes, flow, separation etc, changes. Introducing this approach in an existing environment will require diligent planning + it pushes application, compute and network much closer together; meaning it cannot be seen in isolation anymore. Another impact is the reduction in silo’ed organisation setups of the past (or for many the current) as server and network teams can and will have to work much closer together.
There are a number of aspects to consider when moving to a zero trust model using microsegmentation:
As outlined above microsegmentation can increase security, however other measures are needed to ensure all attacks are being dealt with and not “just” attacks exploiting unknown vulnerabilities. As with any security measure organisations have to weight up cost vs risk to decide what solutions and blueprints are needed to protect appropriately.
(About the author: Gunnar Menzel is vice president and chief architect officer at Capgemini. This post orignially appeared on his Capgemini blog, which can be viewed here )