When you speak of security architectures the word Micro segmentation isn’t new. A Micro segment or a small subset of a larger overall has its roots in the financial industry. When micro segmentation is brought up in terms of a security architecture people have had a hard time deploying it. The notion of applying service and security function within a L3 segment has proven tough.
In a traditional environment a three tier application would require three subnets, three VLANS, three sets of configurations for SVI’s on network devices, corresponding firewall rules on both on the primary and failover devices and potential load balancing configuration. In recent times some firewall function was delegated to virtual appliances but they still added limitations.
Until recently have leveraged virtual appliances to deliver such function. vShield App, vASA, vSRX and the like. Whilst in a virtual appliance they have had a limited feature set, limited throughput and have suffered from scale issues. Many VMs that use 2 vCPU and 4-8GB RAM surely can’t scale in massive hyper-scale environments. Let alone the cost of licensing, managing and utilising high availability.
Lets look at a micro segmentation model and how it changes they way we look at security.
Here we have a single subnet and a three tier application. It is also supported by a management host. What we do by leveraging technologies that focus on in kernel distributed function is that we can enforce context and isolation at the vNIC level.
A distributed firewall (dFW), a feature of NSX, provides a centrally management firewall that has its rule set distributed to all hosts in the cluster. The dFW enforces rule sets at the vNIC level ensuring enforcement BEFORE communication from a VM hits a vSwitch. With a vNIC level enforcement applied in kernel and the ability not only to apply 5-tuple matching or source and destination port and IP but
So why deploy or consider a micro segmentation model? This list is not comprehensive but some outstanding benefits are:
- Reduced attack vector leveraging hypervisor context and promoting isolation
- Simplified deployment model without n tiers of configuration required
- Logical security provides strong boundaries
- Promotes strong screening of east-west traffic flows
- Virtual networking eliminates hair-pinning of traffic flows
- Prime for automated network blueprints and deployments
Micro segments are not new but the way we can approach and deliver them now is new. East-West traffic filtering allows for hardening within the data center whilst providing enforcement in areas that were technical tricky or operationally infeasible.
A pen may have been harmed in the writing of this post. I have attempted to spell segment with an extra e far to many times – segement.