We recently blogged about our new series of Professor Wool’s educational videos looking at how organizations can plan, implement and manage a micro-segmentation scheme in their SDN data center. That first blog covered the first two videos in the series of five: setting out the main goals of a micro-segmentation strategy, namely the protection of sensitive data and preventing hackers or malware being able to spread laterally across the network.
It then detailed the starting point of any effective micro-segmentation scheme: application connectivity flow discovery. This is essential for understanding what each critical business application relies upon, and getting a clearer picture of the inside of your data center. It concluded by showing how organizations need to map the network flows within their data center to ensure that the filtering policies they follow are secure, without blocking business-critical traffic.
The remaining three videos detail how to define exactly where to segment data center networks, how to create an effective filtering policy between segments, and how to manage the overall segmentation scheme.
So, following Lesson 2, which showed how to decide where to position security filtering devices in your network, you then need to decide what the security policies are going to be when you introduce them to your security fabric. The first thing to remember is that the last rule on the policy must be “from anywhere to anywhere with any service”, with a “deny” action. Otherwise, you’ll still be allowing all traffic by default.
I then take you through some of the typical rules you’ll be writing, such as those allowing traffic between segments, and those for traffic which enters or exits the data center. You don’t, however, need to write any rules for traffic contained entirely within one segment, because traffic within one segment is by default allowed.
From there you can consider the question of how many segments you actually want within your data center, balancing granular security against the amount of effort you would expend on managing your data center. Every organization must find its sweet spot on the spectrum.
In the fourth video, we look at the goal of producing a list of rules whereby for every application in the data center, you can see the rules that support it. As previously mentioned, the final rule must be a default denial.
However, there is a risk here of preventing critical applications from functioning – so I recommend to initially write a final rule which actually allows all traffic. You must then add a log statement so that the rule generates a log each time it allows some traffic.
In turn, this means that connections matched by this temporary ‘allow’ rule are flows that you have not yet discovered and mapped. Either they are malicious – or you simply haven’t come across them yet. This allows you to update your specific rules in a proactive way, before reaching “D-day” and finally switching over that final rule from ‘allow’ to ‘deny’.
From then on, any time an application developer wants to make a network change, they will have to issue a change request: Micro-segmentation is in force.
However, that is not the end of these lessons. I conclude this series by looking at the ongoing maintenance of a microsegmented data center and the importance of a holistic approach. All the filtering technologies must work together and not contradict each other.
My advice is to start with the information security team, which needs to define a high-level policy regarding the types of traffic that are allowed and disallowed within the organization. A tabular format is often the best way of approaching this, and enables the team to be much more specific about, say, which zones within the data center can connect to the internet. This is also particularly useful in terms of compliance, and enabling the quick and effective checking of whether a proposed network change is in line with key compliance frameworks.
When it comes to managing and maintaining a micro-segmentation scheme, and ensuring it works in harmony with the security across your entire enterprise network, it’s critical to use a network security automation solution such as AlgoSec’s. Automation ensures that the security policies which underpin your segmentation strategy are consistently applied and managed across your entire network estate, together with centralized monitoring and audit reporting.
Any changes that you want to make to the segmentation scheme can be assessed and risk-checked beforehand to ensure that applications will continue to work, and no connectivity is affected. Then, if the changes do not introduce any risk, they can be made automatically, with zero-touch, and automatically recorded for audit purposes. This streamlines management, and avoids the need for cumbersome, error-prone manual processes every time you need to make a network change.
Want to watch the complete video series on planning, implementing and managing a micro-segmentation scheme in your data center? Click here.
Receive notifications of new posts by email.