For years, organizations have focused most of their network security efforts on the perimeter. First there were firewalls, then intrusion prevention systems came along followed by web proxies, and recently advanced malware detection (AKA sandboxing) solutions. This perimeter-focused approach is often referred to as the M&M Strategy – a hard crunchy outside and soft chewy inside. The problem of course, is once hackers successfully penetrate the perimeter of the network or the data center, (and let’s face it, this has not been a rare occurrence in recent years) there is very little restriction of lateral movement between servers in the data centers.
Enter network segmentation. The need for effective network segmentation is common knowledge, but it is hardly common practice. A poll which we ran (as part of this great webinar) asked IT professionals to describe their network segmentation strategy. Just 30% of respondents said that they strategically set segmentation around business drivers for the latest threats. About a third of respondents said they “set and forget” their segmentation and an equal number reported that they occasionally revisit it—typically around audit time. A brutally honest 6% said “My network what?”
Maintaining effective network segmentation is hard. For starters, you have to figure out how to categorize your assets: what should I protect, who should be able to access it, what is the classification and regulatory environment of data, to name a few. Once you have done it, you need to put in network segmentation controls, typically firewalls. These add cost and perhaps more importantly, add complexity and management overhead. Anyone who has had to process a network access change request that traverses multiple network segments and firewalls, while ensuring that the security and compliance posture is intact, would probably have preferred to schedule a root canal procedure instead.
So onto the million dollar question: Additional network segments adds security and granularity but it also adds cost and complexity… so how many segments does it make sense to have in my network? Well lately, some argue “as many as possible” – say hello to micro-segmentation.
At its core, micro-segmentation is a fancy term for host-based firewalling. This concept has been around since the beginning of firewalls, and never really caught on because of the unreasonable cost and complexity of placing a firewall on every server. But recent developments in cloud and software-defined networking are reinvigorating this security concept. Amazon Web Services for example, offers free built-in “Security Groups” on every instance – this is essentially micro-segmentation in which the security controls are abstracted from the user. The VMWare NSX platform offers hypervisor level virtual firewalling on every host.
Here are some key things to consider when looking at micro-segmentation:
So is micro-segmentation the way of the future? It’s probably too early to tell, but its certainly worthy of consideration, if not on every machine, then in areas of your network where the “honeycomb” segmentation strategy truly adds value.
Receive notifications of new posts by email.