Micro-segmentation techniques

Micro-segmentation is the one word that strikes most security engineer’s minds when they talk about stopping attackers from moving laterally across networks. But why aren’t many people doing it? Because achieving micro-segmentation in hybrid data centers often proves ridiculously difficult.

Network-based micro-segmentation

In earlier years, organizations used to place all workloads and applications into a single broadcast domain and then carry out enforcement using IP address rules. Things improved with the advent of VLANs & network firewalls. VLANs create logical broadcast domains in layer-2 whereas network firewalls monitor & control traffic at IP layers based on security rules and ACLs. But segmentation using VLAN and network firewalls are insufficient to protect applications and workloads in dynamic, hybrid environments.

Challenges :

1. Lack of visibility: Segmentation requires a deep insight into the network and a comprehensive understanding of the interactions between the workloads. This calls for tools that will correlate, visualize network flows, applications, workloads, and adapt to changes. But, such integrated tools don’t exist.
2. Complex & time-consuming: Layer-2 segmentation that VLAN offers involves complex provisioning and configuration steps that deter the speed & scale of deployments. Moreover, the layer-2 domain doesn’t have the required context of the workloads they are protecting.
3. Insufficient in the cloud environment: Protecting layer-2 domains in a public cloud is not feasible since the control of the infrastructure is with the cloud provider.
4. Not suitable for a scalable solution: Granular segmentation per workload instance is impractical with VLAN because of the limit of 802.1Q VLAN tags. Whereas segmentation with networking firewalls is expensive. Segmentation per workload instance will require firewall rules twice the number of workloads. Managing such a vast number of rules at scale is almost impossible.

Hypervisor-based micro-segmentation

In a hypervisor-based environment, all traffic passes through the hypervisor. This can be utilized to isolate and segment workloads.

Challenges:

1. Vendor lock-in problem.
2. Depends on the number of policies supported by the hypervisor vendor,
3. Lacks process visibility.

Micro-segmentation with SDN

SDN enables service providers to overlay a logical network over the physical infrastructure. SDN creates a layer of abstraction that can enable micro-segmentation at granular levels with ease.

Challenges:

Elimination of the physical routers and switches will deprive the network of the security that comes with them such as a firewall.

Requirements of the modern micro-segmentation solution:

1. Leverage existing infrastructure: Works with existing datacenter resources.
2. Decoupled from the underlying network: Security policies & and their enforcement are decoupled from underlying infrastructure such as containers, virtual or physical servers, and networks.
3. Granular micro-segmentation: Enforces fine-grained security policies at the individual workload level.
4. Auto workload discovery: Automated application and workload discovery.
5. Workload grouping and policy assignment: Recommends groups and segmentation rules, and intuitive workflows for iterative planning.
6. Visibility — Visualization of application dependencies to build security policies and validate them against existing flows before enforcing any rules.
7. Adapting to changes — Automatically adjusts to data center moves, additions, and changes. Security is continually computed and applied using the dynamic context information with changes in the underlying networking parameters.

A host-based approach

Host-based segmentation can leverage the native firewall functionality built-in the workloads to provide fine-grained policy controls without changing existing hardware infrastructure. This facilitates a micro-segmentation solution that works across data centers, cloud, bare metal, and hybrid environments overcoming the limitation of VLAN or networking firewall-based techniques.

The other parts of the solution

The host-based solution addresses only the first three requirements stated above. One still needs to discover all the workloads, create application dependency mappings, classify the workloads, label accordingly, and understand communication patterns between various applications.

1. The first step is to gather high fidelity information about the deployment. Collect information about every flow in the network & other contextual information. An agent per host can greatly facilitate intel gathering.
2. Next is to process data to discover workloads, create a visualization of all application communications and dependencies. This is where machine learning capabilities can assist. ML algorithm can be used to automatically classify and group workloads, create labels for applications, and their tiers.
3. The final step can be recommending rules for flow level and process level micro-segmentation. Again, ML can assist here.

Conclusion

Micro-segmentation is an excellent technique to enforce granular security policies that can feciliate the implementation of a true Zero-Trust network across hybrid datacenters. But, the lack of sophisticated segmentation tools prevents organizations from adopting micro-segmentation as part of their security strategy. AI/ML techniques can be the real game-changer here.