For several years now, network segmentation has been a recommended strategy for shrinking the attack surface of data center networks. A lack of effective segmentation has been cited as a key contributing factor behind some of the biggest-ever data breaches, including those which impacted retailer Target and credit reporting agency Equifax.
But while segmentation is recognized as an effective method for enhancing security, it can also add significant complexity and cost – especially in traditional on-premise data centers. In these, creating internal zones usually means installing extra firewalls, cabling and so on to police the traffic flows between zones.
However, the move to virtualized data centers using software-defined networking (SDN) changes this. SDN’s flexibility enables more advanced, granular zoning, allowing networks to be divided into hundreds of microsegments, delivering a level of security that would be prohibitively expensive and complicated to implement in a traditional data center. As such, research by analyst ESG has shown that nearly 70% of enterprises are already using some form of micro-segmentation to limit hackers’ ability to move laterally on networks, and make it easier to protect applications and data.
But while SDN makes segmentation far easier to achieve, implementing an effective micro-segmentation strategy presents security teams with two key challenges. First, where should the borders be placed between the microsegments in the data center for optimum protection? Second, how do they devise and manage the security policies for each of the network segments, to ensure that legitimate business application traffic flows are not inadvertently blocked by the micro-segmentation scheme? Here, I’ll describe how these challenges can be addressed.
The starting point for devising a micro-segmentation scheme is discovering and identifying all the application flows within your data center. This can be done using a discovery engine which identifies and groups together those flows which have a logical connection to each other and are likely to support the same business application.
This information can be augmented with additional data, such as labels for device names or application names that are relevant to the flows. When compiled, this creates a complete map identifying the flows, servers and security devices in the data center that your critical business applications rely on. Using this map, you can start to draw up your segmentation scheme by deciding which servers and systems should be placed in which segment.
This is done by identifying and grouping together servers that support the same business intent or applications. These will typically share similar data flows, and so can be placed in the same segment. Once the scheme is outlined, you can then choose the best places on the network to place the security controls to enforce the borders between segments.
To do this, you need to establish exactly what will happen to your business application flows when those filters are introduced. Remember that when you place a physical or virtual filtering device to create a segment border, some application traffic flows will need to cross that border. These flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail.
As such, to find out if you need to add or change specific policy rules, examine the application flows that were identified in your initial discovery process, and note if a flow already passes through an existing security control. If a given application flow does not currently pass through any security control, and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked, you will need to add an explicit new policy rule that allows the application flow to cross it.
However, if a given flow is already being filtered by a security control, then there is usually no need to add another explicit rule for that flow when you start to segment your network. This process can be repeated until you’re satisfied that you have segmented your network to deliver the levels of separation and security that you need.
Having devised and implemented your micro-segmentation scheme, you will need to manage and maintain it, and ensure it works in harmony with the security across your entire enterprise network. The most effective way to achieve this is with a network security automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premise firewalls. This ensures that the security policies which underpin your segmentation strategy are consistently applied and managed across your entire network estate, together with centralized monitoring and audit reporting. It also avoids the need for a cumbersome, error-prone manual process every time you need to make a network change.
To conclude, building and implementing a micro-segmentation strategy requires careful planning and orchestration to ensure it is effective. And automation is critical to success, as it eliminates time-consuming, error-prone manual security processes, such as connectivity discovery, mapping, and ongoing management. However, thinking small with micro-segmentation delivers both a stronger security posture and greater business agility. Find out how AlgoSec makes it easy to define and enforce segmentation throughout your network here.
Receive notifications of new posts by email.