With the growth of software-defined networking (SDN) and the evolution of software-defined data center (SDDC) technologies, network administrators, data center operators and security officers are increasingly looking to micro-segmentation, for enhanced and more flexible network security.
In this article, we’ll be considering the nature and characteristics of the process, and looking at ways to effectively plan, implement, and manage network micro-segmentation deployments.
What Is Micro-Segmentation?
To assist in administration, security enforcement and the management of data collision domains, network segmentation or the division of a network into smaller sub-sections allows administrators to minimize the access privileges granted to people, applications and servers, and the rationing of access to sensitive or mission-critical information on an “as-needed” basis.
In its traditional form, network segmentation is achieved by creating a set of rules to govern communication paths, then configuring firewalls and VLANs to provide the means to partition the network into smaller zones. For comprehensive security coverage, a network should be split into multiple zones, each with their own security requirements – and there should be a strict policy in place to restrict what’s allowed to move from one zone to another.
It’s a physical process that can soon reach the limits of its effectiveness, once traditional or even next-generation firewalls become overloaded and the burden on IT staff of manually fine-tuning configurations and policies becomes too great as networks expand beyond a certain size or are simply overwhelmed by changing conditions.
Micro-segmentation takes network partitioning to the next level, by exploiting virtualization and software-defined network technologies to allow policy-based security to be assigned to the network at a granular level – with security assignments possible down to individual workloads.
Benefits And Drawbacks
For micro-segmentation, hardware-based firewalls aren’t required to enable security to be directly integrated with virtualized workloads. So security policies may be synchronized with virtual machines (VMs), virtual networks, operating systems, or other virtual security assets, with security assignments down to the level of a single workload or network interface. And if a network is reconfigured or migrated, VMs and workloads will move together with their associated security policies.
By enabling such fine-grained security controls, micro-segmentation can drastically reduce the available attack surface that a network presents. It enables more granular control over the traditional “choke points” of a network, and allows for security controls which are customized for each virtual environment.
Should an attack occur, the effective separation of each zone into its own secured environment helps limit the spread of incursion and any sideways spread into the rest of the network. Micro-segmentation can also simplify and speed up incident responses, and enhance forensics in the event of a security breach or other network event.
On the downside, micro-segmentation can be a complex process requiring detailed design and careful administration. The increased overhead in areas like system monitoring and alerts or identity management may translate into increased financial and staffing costs for the enterprise – unless the deployment is properly planned and executed. The following recommendations should help.
Start With Analytics
Mapping a network’s security requirements down to its lowest level requires a detailed knowledge of its inner workings – a fine-grained and 360-degree view of the network which goes beyond what manual observation can achieve. Visibility must be gained into communication patterns and network traffic flows to, from, and within the enterprise campus, and software analytics should be employed to establish key relationships and traffic patterns (groups of related workloads, critical applications, shared services, etc.)
The policies and security rules to be used under micro-segmentation will also be determined by the results of network analytics. Models should be drawn up and assessed to highlight important relationships, and to help spot network elements and workloads that may potentially pose problems. Analytical results will also assist in crafting policy definitions and the orchestration system needed for pushing micro-segmentation out to all the infrastructure on the network.
Adopt A Zero Trust Attitude
Denial of access should be the default philosophy, with communications on the network selectively allowed on the basis of the previous analysis. Throughout the micro-segmentation deployment, “zero trust zones” should be created, with policies and rules set to allow only that access to users, systems, and processes that they essentially need to do their jobs.
Whitelisting may be of value here, as network analytics should reveal what are known to be safe communication paths. Everything else can be blocked.
Choose Your Tools Wisely
Software-defined networking technologies may facilitate the enhancement of legacy infrastructure and security protections for micro-segmentation – but this will depend on a careful selection of hypervisor and tools for virtualization. This would typically include a single tool or platform for visualizing the interactions occurring between the physical and software-defined layers of the network. Tools should also be integrated and user-friendly for all the personnel involved – be they assigned to operations, networking, cloud, storage, administration, or security.
Look for features like automated provisioning and move/change/add for workloads, scale-out performance for firewalling, and distributed enforcement in-kernel and at each virtual interface.
Consider The Cloud
Cloud-based technologies can relieve much of the burden of a micro-segmentation deployment. Network traffic analytics tools may be employed at the design stage to help trace critical communication paths and inter-relationships, and to throw up potential network security and micro-segmentation weaknesses, based on known best practice configurations.
Deep insights into network operations may be obtained without the need for investing in on-premises hardware and software. And web-based administration platforms may be used to manage and orchestrate the dispersal of micro-segmentation policies across the entire network.
Create Best Practice Zones For Compliance
Compliance regimes such as PCI-DSS give guidelines for the clear separation of data within a network – and micro-segmentation is ideally suited to ensuring this. For instance, it’s easy to create zones where confidential information like financial records or credit card data are isolated from the less sensitive data moving through the rest of the network.
For audit purposes, micro-segmentation may be employed to create “best practice zones” on the network, while any issues thrown up may be quickly addressed without the need for downtime, reconfiguration across the network, or buying new hardware.
Some General Tips
· Route network traffic patterns to force specific flows with greater numbers of check-points.
· Deploy security controls at multiple layers of the network architecture to make it harder for intruders to gain access to sensitive data – but balance the number of controls to keep complexity down to manageable levels.
· Set up different zones as determined by where sensitive information lies.
· Use a whitelist approach to determine where secure communication channels exist, and block access to all other areas.
· Step back from time to time to see the big picture: Areas where restrictions may be too severe, or zones where access is being given unnecessarily.
Repeat And Fine-Tune
As conditions change, you’ll need to revisit your micro-segmentation design stages. So continue analyzing network traffic, and using the results to distill and fine-tune your security policies and rules.