What is Microsegmentation?

Sometimes dismissed as a “security term” and therefore ignored by many, it is a new blueprint that we all (as IT Architects) should understand. 

Microsegmentation as a term refers to the ability to segment compute, storage and network into one virtual zone in order to control in and outbound traffic in both north-south as well as east-west direction. The main aim of Microsegmentation is to significantly increase security by containing threats within a small(er) area – Zero Trust approach 

Breaches in security are well documented in the press nowadays, and with the increase of digital (in particularly automation and full connectivity) it seems that attacks exploiting unknown vulnerabilities are one of the key threats’ organisation have to protect themselves against.

In a 2015 Forrester study (see here) software exploits are with ~ 37% of all attacks top the list of the most used attacked mechanisms. With the rise of so-called Exploit Kit’s many environments are increasingly at risk of being successfully attacked without identification. Stopping an attack that us using an exploit – like running a remote admin command on a host without providing an admin password – is only possible if that exploit is known at the time of attack. If the attacker is exploiting an unknown vulnerability organisation are blind and there is a possibility of further internal attacks from within.


Some attackers wait hours, days of even weeks to exploit a successful breach by installing  command & control centre to try and attack hosts that are reachable within their trusted zones.

The Zero Trust approach, outlined by Forrester (see here), is trying to address this by promoting “never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any object —regardless of what it is and its location on, or relative to the network setup – ie being in the same zone.

Until recently we used a well tried and tested blueprint when it came to designing a secure infrastructure for online applications : a 3-tiered based blueprint that relied on “trust zones” as well as on physical firewalls (amongst other components like reverse-proxy, intrusion detection system, intrusion prevention system) that controlled and managed all in and outbound traffic.

In detail we were used to configure Trust Zones where a physical network would allow for grouping of machines (physical / virtual) into a zone. That group would then be related to a physical firewall port and / or a virtual switch port-group and / or a VLAN. This will allow for firewall-controlled communication between zones – the so-called north-south control.

 

However, crucially east west there is no firewall-controlled communication. This means that in case of a successful exploit of an unknown vulnerability the attacker can setup control centre (command & control) either on the first host or can move within the zone to a different host.

 


As the title says, hosts that are within the zone implicitly trust each other, meaning that an attacker can move from host to host without traversing a firewall and or other intrusion detection systems. Of course, there are ways to protect within a zone or you can create a zone per server. However, this has significant restrictions as it will push the management overhead and cost through the roof.

Next to the fact that our traditional approach is limiting our ability to control an intrusion it does create significant headaches during setup and during operations, as each application must be mapped against tier as well as IP/port/protocol usage. How many times has an application failed because certain ports were not “opened” on the firewall, and how many landscapes have “all doors open” as an application uses dynamic port mappings and / or firewalls are being “opened” too much.

A trusted zone model combined with stateful inspection-based firewalls (as well as anti-malware and anti-virus protection) defends well against known attacks. However, in case of an attack using an unknown vulnerability a trusted zone model combined with stateful inspection-based firewalls cannot stop the attacker from attacking other trusting hosts.

A better way to control and contain exploits is to deploy a zero-trust approach by using a Microsegmentation approach. Microsegmentation is only possible as network virtualisation increases in maturity and deployment. Using software-based networking capabilities in a virtual environment it is possible to track, control, monitor, log every flow, package between any hosts – north, south, east and west.

In a Microsegmentation approach every single virtual server has its own firewall – typically a stateful – that can filter, log, monitor every package that either enters or leaves the server.

As the firewall is “below” the network there are no “Trust Zone” - Security is always present – per flow, per packet, stateful inspection with policy actions and detailed logging as well as per virtual machine, per virtual network interface. The physical network acts only as a physical connector.

Most of not all Microsegmentation based blueprints will be implemented using fully virtualised environments. This means compute is virtualised – all physical servers are virtual hosts. Most of the network environment is virtualised using an SDN (software designed networking) approach. In the SDN Model networks are abstracted even more granular as a logical set of network ports.

SDN tackles one of the fundamental challenges with today’s networking, namely the use of IP addresses (at OSI Layer 3) for two unrelated purposes: as an identity but also as a location.

Tying these together restricts a (virtual) machine from being moved around as easily as we would like. Like server virtualisation abstracts the server hardware for the software that runs on it, virtualisation of the network abstracts the cables and ports from the demands of the applications.

By abstracting OSI Layer 2 (‘the MAC addresses’) for the Virtual Machines and allowing transparent overlay communication (L2 over L3 tunnels) between VM’s on top of physical networks, the mobility and portability of VM’s are extended across network boundaries.

This enables the on-demand, programmatic creation of tens of thousands of isolated virtual networks with the simplicity and operational ease of creating and managing virtual machines. Furthermore, logical networks can be separated from one another, simplifying the implementation of multi-tenancy as well as being the basis for a Microsegmentation based approach.

 

Thanks for Reading



Comments

Post a Comment

Popular posts from this blog

Event based versus Data based Programming

Image
  Over the years our landscapes have significantly changed, shifting from monolithic to client server to now cloud based microservices architectures :  Along the shift to cloud based microservices, programming styles have also changed and in this short blog I will focus a bit on programming paradigms by discussing : Event based versus Data based Programming When I started programming in the mid-1980, only a small number of so-called “programming paradigms” where available – most notably imperative languages [ 1 ] or better procedural / functional languages like C++ developed around 1980 as well as Modula and Ada.   For me the work that Bjarne Stroustrup did related to programming was hugely influential – his book “The C++ Programming Language” issue in 1985 was in of my first IT books and it was the start of my IT career. Today, 30 years later, there are between 25 and 30 different programming paradigms. Everything from “action” and “agent oriented” to “symbolic” and “Value-level”
Read more

Agile Architecture

Image
Agility is a central requirement for many organizations and agility is also impacting the way we, as (IT) Architect's work. We work in an agile way to drive change that creates business opportunity through technology innovation. We will shape and translate business and IT strategy needs into realizable, sustainable technology solutions, whilst taking end-to-end solution delivery ownership from idea to benefits delivery. Being able to respond to change means, that we do not longer create a Big Design Up Front (BDUF) where we define an architecture to be realized over a long period. Instead, the architecture design in an agile context : provides the vision (intentional architecture) where the teams fit in with their (development) work, gives the guard rails between which the agile teams make their own design decisions (emergent architecture), shows where teams need to connect to ensure interoperability between systems/services (solution architecture), provides guidance on generic
Read more