AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

Micro-Segmentation – Do Good Things Really Come in Small Packages?

by

For years, organizations have focused most of their network security efforts on the perimeter. First there were firewalls, then intrusion prevention systems came along followed by web proxies, and recently advanced malware detection (AKA sandboxing) solutions. This perimeter-focused approach is often referred to as the M&M Strategy – a hard crunchy outside and soft chewy inside. The problem of course, is once hackers successfully penetrate the perimeter of the network or the data center, (and let’s face it, this has not been a rare occurrence in recent years) there is very little restriction of lateral movement between servers in the data centers.

Enter network segmentation. The need for effective network segmentation is common knowledge, but it is hardly common practice. A poll which we ran (as part of this great webinar) asked IT professionals to describe their network segmentation strategy. Just 30% of respondents said that they strategically set segmentation around business drivers for the latest threats. About a third of respondents said they “set and forget” their segmentation and an equal number reported that they occasionally revisit it—typically around audit time. A brutally honest 6% said “My network what?”

Maintaining effective network segmentation is hard. For starters, you have to figure out how to categorize your assets: what should I protect, who should be able to access it, what is the classification and regulatory environment of data, to name a few. Once you have done it, you need to put in network segmentation controls, typically firewalls. These add cost and perhaps more importantly, add complexity and management overhead. Anyone who has had to process a network access change request that traverses multiple network segments and firewalls, while ensuring that the security and compliance posture is intact, would probably have preferred to schedule a root canal procedure instead.

So onto the million dollar question: Additional network segments adds security and granularity but it also adds cost and complexity… so how many segments does it make sense to have in my network? Well lately, some argue “as many as possible” – say hello to micro-segmentation.

At its core, micro-segmentation is a fancy term for host-based firewalling. This concept has been around since the beginning of firewalls, and never really caught on because of the unreasonable cost and complexity of placing a firewall on every server. But recent developments in cloud and software-defined networking are reinvigorating this security concept. Amazon Web Services for example, offers free built-in “Security Groups” on every instance – this is essentially micro-segmentation in which the security controls are abstracted from the user. The VMWare NSX platform offers hypervisor level virtual firewalling on every host.

Here are some key things to consider when looking at micro-segmentation:

  • Security – network firewalls are typically rugged, hardened appliances that are very difficult to attack. According to Gartner, 95% of firewall breaches are the result of misconfiguration, not firewall flaws. We must ensure that host-based firewalls cannot be easily disabled or circumvented by an attacker who is able to get access to the machine which runs it.
  • Integration with Legacy Firewalls – the big box with blinking lights at the perimeter or at the entrance to the data center isn’t going away anytime soon. Companies will still need a way to manage traditional firewalls alongside host-based firewalls, in the data center or in the cloud. In a recent survey, 79% of companies expressed the need for better visibility across on-premise and cloud environments.
  • Automation – if you think manual firewall operations are tough today (and they are!), wait until you have a firewall on every machine! Without automation across environments and devices, micro-segmentation is simply not feasible.

So is micro-segmentation the way of the future? It’s probably too early to tell, but its certainly worthy of consideration, if not on every machine, then in areas of your network where the “honeycomb” segmentation strategy truly adds value.

Subscribe to Blog

Receive notifications of new posts by email.