Context vs Isolation

Security is an industry that can excite and frustrate, extract tears from the unsuspecting and cause insurmountable problems when protecting among many disparate systems. For a long time security was an after thought and something that was bolted on. If more consideration was given it would generally be a kludge that would have many undesired effects.

There are many places where enforcement can occur in a network. You can place security controls and enforcement at the application or inside the virtual machine. This provides you with fantastic context. Information about the files, devices, application, memory and pages, what processes are running on more. The trade off is that there is no isolation – what you present is a whole attack vector or surface irrespective of the security controls on the application or virtual machine.

Isolation on the other hand is generally achieved in the network. Different networks like overlays, VRFs or VLANs aggregating with security applied through ACLs or policies that permit and deny based on different rulesets. This works well but what you miss out on is rich information about the end point. If a device is compromised then if the ACL still does it job of providing isolation but you have no idea that this is occurring.

There is a common environment in the DC that provides the sweet spot for maximum context and isolation and that is the hypervisor. The hypervisor is a ubiquitous layer in the data centre. With access to rich context of the guests residing on it and the balance of isolation techniques available to it through network function virtualization, the hypervisor can deliver this new era of security. This context and isolation allows the ability to enforce security on east-west work loads and harden the DC through scalable architectures to supplement the traditional north south workloads.

We have for a long time enforced on the edge. What if there is a breach on a web DMZ VM? How do we stop east-west privilege escalation? There are many environments that try to limit the attack vector of a compromised machine but once you are end generally you can see ARP tables, the ToR switch, adjacent machines and much more.

There are many times where we have made the DC a crunchy candy. A hard shell with a soft and gooey centre. Spending 80% of the security budget enforcing the edge with Firewalling, IDS/IPS, WAF and more yet 80% of the work load is intra data centre. It is a crazy paradigm which I do hope shifts and we see architectures such as least permission, zero trust and micro segmentation leverage. It is time we start hardening our gooey centre. It is time the DC ate some concrete and hardened up and in an upcoming post I look to show you how you can harden your east-west communication today.


I am lucky in my role at VMware that I work with some very smart people. I have spent time this week talking and visiting my customers with Martin Casado, CTO of Networking at VMware. Having spent a bit of time talking to him about what he is working on gets me excited about security and networking. He is a very smart man and much smarter than I so I suggest you go check out the Interop keynote where Pat Gelsinger and Martin talk about the hypervisor being the new network security platform. 


Leave a Reply

Your email address will not be published. Required fields are marked *