Nuts and Bolts Microsegmentation Lead image: Lead Image © Chalong Tawan, 123RF.com
Lead Image © Chalong Tawan, 123RF.com
 

Microsegmentation in the data center

Improved Separation

Microsegmentation promises substantial improvements over classic architectures for the protection of applications and increased security when building out the efficiency of a data center. By Martin Kuppinger

Microsegmentation breaks a network or data center into various segments to enhance its efficiency or security. The idea behind segmentation became an established technique once virtual local area networks (VLANs) came into use. From the very beginning, security was a central focus for VLAN segmentation, because it divided network domains into smaller parts and then protected movement of data among the parts.

Traditional VLANs quickly reach their limits, however, when confronted with more extreme levels of segmentation, especially with regard to the management of security and configuration settings, because managing these settings becomes increasingly complex as the number of segments grows. Moreover, configuration tends to be rather static, whereas security orients more toward the IP layer of communication control, rather than to the application level.

New Challenges for Security

Perimeter protection alone no longer suffices to secure a network. When a company network or the company data center network (which should be equipped with protection) or an individual VLAN suffers a breach, the attacker gains free reign within the invaded domain and perhaps beyond. Traditionally, protection against breaches has been set up according to the "north-south data traffic" (client to server) principle, with an eye toward protecting incoming data. Once an attacker violates these barriers, the "east-west data traffic" (server to server) within the domain becomes vulnerable. Solutions involving microsegmentation are intended to offer more security and easier configuration.

These solutions are currently offered by various providers, including Cisco (ACI), Unisys (Stealth), and VMware (NSX). The conceptual differences among these offerings are considerable. Cisco is focused on support for virtual and physical platforms. VMware, on the other hand, emphasizes virtualized infrastructure inside its software-defined data center (SDDC). Unisys adds encryption, so communication extending beyond the data center is also protected.

Attacks known as advanced persistent threats (APTs) are becoming ever more sophisticated and more persistent, and they target a greater number of levels. Additionally, countless zero-day exploits take advantage of software vulnerabilities. The result of these dangers is that protecting the external perimeter no longer provides adequate protection. Instead, multiple layers of protection are required to fend off attacks, keep critical systems safe, and safeguard sensitive information. (See also the "Additional Security in Virtual Environments" box.) The security techniques utilized in microsegmentation make it possible to implement security concepts efficiently that substantially reduce risks.

Application Architectures Simplify Segmentation

The practical implementation of microsegmentation depends in large part on the multilayered application architectures commonly in use today, as well as popular applications that consume services via APIs from other applications to create new solutions. Once implemented, microsegmentation lets you move complete applications and groups of applications, as well as individual layers of applications like the web server, the application server, and the database server, into separate segments. The resulting segments are much smaller and more granular than those achieved with established approaches.

A question that quite naturally arises with this method is whether and how an administrator can manage the security rules meaningfully. If you think about a situation involving hundreds of applications with an even greater number of components that could potentially be segmented, then security configuration looks like an administrative nightmare. Even if it were possible to configure effective security rules, the resulting environment would inevitably be very static, because any change would require significant configuration effort – at least at first sight.

In principle, the solution is simple: Declarative security is achieved through policy-based guidelines or best practices that specify how applications are allowed to communicate. These policies do not apply to the network, but to applications in the segments. Because individual applications with a limited set of interfaces are concerned, the approach of choice is white listing, meaning explicit approval for certain types of communication only. For example, particular applications might be given permission to access a database server that functions as the back end for an application on an application server.

This solution no longer involves a static definition of the type of communication that is permitted between specified network segments. Instead, a definition applies to an individual segment and the type of communication this segment is allowed to carry out with applications and other segments. Software then assumes the task of implementing these policies within the IT infrastructure, whether it be a virtualized environment or a network of physical components. Therefore, moving something like a virtual machine does not change policies, but the microsegmentation software will need to take the move into account.

Cisco supports other features, as well. For example an attribute-based configuration has defined attributes that determine how an application will be handled, permitting comparatively generic policies that can then be implemented accordingly – in this case, with Cisco ACI. In each case, the result comprises structures that have become far more flexible and dynamic than ever before, which is why they also play such a fundamental role in the VMware SDDC concept. With respect to microsegmentation, security functions then become a permanent feature of the policies. These flexible policies and the central infrastructure management make up the core of the concept.

Organization Is the Crux of the Matter

A practical consideration for the use of microsegmentation should not be underestimated. In the typical company, different organizational units are responsible for managing policies related to application configuration, network infrastructure, and security. The management of directives thus becomes an organizational challenge that could be addressed by using policy management tools that have different access privileges. As a result, various users would only be permitted to edit particular policy areas.

However, the organization is more sensible and forward-looking in developing software-defined IT infrastructures (e.g., network, storage, data center, etc.) to achieve uniform management of the software-defined environments. Under this kind of management model, the network becomes merely a transport medium that is then built out in accordance with the policies that apply to the software-defined infrastructure.

Conclusion

Microsegmentation is an exciting way to combine more security with a flexible network structure while making it easy to control security and configuration through the use of policies. However, it is a good idea to keep in mind that all that glitters is not gold. Providers always promise that their policy management solutions will provide control, even over complex environments comprising a large number of segments. In spite of such assurances, you should carefully consider how best to manage the policies. Not every configuration model is simple. Use of the word "programmatic" should definitely set off alarm bells.

Microsegmentation, even in conjunction with complementary security functions, such as firewalls and vulnerability scanners, does not replace other security mechanisms such as database firewalls, system hardening, and sophisticated user and authorization management. Moreover, many questions remain concerning hybrid infrastructures.