Lessons in Micro-segmentation part 1: New educational videos from Professor Wool

Professor Avishai Wool shows you how to plan, implement and maintain an effective micro-segmentation strategy

Network segmentation and micro-segmentation is a topic we cover frequently on our blog.  And with good reason:  it’s a powerful method for minimizing the attack surface of data center networks and inhibiting the ability of an attacker to move laterally if they manage to breach the network perimeter.  As we’ve written previously, a lack of effective segmentation has been cited as a key contributing factor behind some of the biggest-ever data breaches from enterprise organizations.

Until fairly recently, segmentation could be relatively costly and complex to implement.  Especially in traditional on-premise data centers, in which creating internal segments usually meant installing extra firewalls and devices. However, the move to virtualized data centers using software-defined networking (SDN) changes this. SDN’s flexibility means organizations can deploy a filtering fabric in their data center as part of its infrastructure. They can activate a component that allows them to filter the flows going into, out of, and inside, the data center and apply policies to them. This makes possible a level of security that would be prohibitively expensive and complicated to implement in a traditional on-prem data center. 

But how do you actually go about doing this?  To help organizations through each step of the process, we recently produced a new series of Professor Wool videos looking specifically at how to plan, implement and manage a micro-segmentation scheme in your SDN data center. 

Lesson 1 – Discovering Flows

In the first video, I discuss the key goals that can be achieved with micro-segmentation. Most micro-segmentation projects begin because of the business’ desire and responsibility to protect sensitive data, and stop attacks such as malware from spreading across the network. Micro-segmentation facilitates this by preventing lateral movement. But before you define your segments you will need to plan how to ensure that necessary business traffic is allowed to flow, to confirm that nothing else is allowed, and to design the policy that governs the micro-segmentation to be future-proofed.

I then specifically detail the starting point of developing an effective micro-segmentation scheme, which is the application connectivity flow discovery process.  Without this, you cannot see what network flows each business application relies on to make it work, and therefore you cannot filter and secure those flows properly. You can work from the sensitivity and type of data, or from the traffic, or from both – and learn from these sources what is going on inside the data center.

Lesson 2 – Mapping Existing Applications

Once you have performed this discovery, it will drive the policies and rules you set. In the second video, I introduce the next step – mapping network flows within the data center to ensure that these policies are robust without blocking business critical traffic. A NetFlow source is useful here to sniff all the traffic and provide NetFlow output to a discovery engine which will then identify the network flows inside the data center. An intelligent discovery system can also organize the flows into collections with logical connections to each other, and augment that information with labels such as object names and application names.

Then, you will want to decide where to place filters to separate components from one another without preventing legitimate traffic, or leaving sensitive information vulnerable. If you introduce a new filter, some of the flows which cross that boundary will need explicit rules inside the new filter, otherwise the application will fail. If you use your discovery system to identify the flows and combine that with information coming from the firewalls to recognize which flows are already coming through a filter and which are completely unfiltered. This can assist you greatly when you decide where to put the boundaries on your new micro-segments and which policies you need to put into those newly-defined filters.

Stay tuned for part 2…

In part 2, we will take a look at the next steps in the process – defining segments, writing a policy, and managing all of this effectively. If you want to plan, implement and manage a micro-segmentation scheme in your SDN data center, you can watch the videos here.