For 20+ years, the FIREWALL used to be considered as the most important device of the networks. Because companies understood the concept of Client-Server model so properly that they would place the 'Firewall' at the perimeter and secure the network from all the data that is coming from the outside.
The problem with this arrangement is that it does best controlling the 'North-South' traffic flows, or those client-server interactions that are traveling in and out of your data center. Though it worked for some years. It is no longer working....
Because, with the cloud and particularly the hybrid-cloud environments, we have more of traffic that flows East-West. This East-West traffic is happening between Server-to-Server, between application-to-application.
This East-West traffic is so much that it accounts for approx. 70-80% of all the enterprise traffic. The result is that we practically are left with no perimeter. That's why, so many experts tell us that -- The Perimeter Has Evaporated! The vast majority of traffic is no longer going North-South, it’s travelling East-West, that is – inside the data center itself.
In order to understand it better, you can imagine it as a situation where you have a guard outside the wall of your castle, but what to do when you already have intruders inside the castle and roaming around freely. This traffic is made up of third-party cloud services, software, BYOD, and more.
-
Flat networks are things of past...
The cloud technologies and the advancement of virtualization technologies, has generated new needs and new ways to secure everything what we may consider critical or important.
Having the ability to create 'smaller zones of control' for securing the data has become paramount now.
SDN and technologies like containers and serverless functions have been the real game-changer here, making it more affordable and technically feasible to break down workload assets, services, and applications into their own microsegments.
In the past, segmentation required rerouting hardware — a very manual, expensive process. Today, it is software-defined, which means it can be done easily and with automation as cloud environments constantly morph.
A big mis-perception is that if you implement different VLANs in different CIDR blocks/network numbering (subnetting), you’ve achieved network segmentation. This couldn’t be further from the truth.
-
How Does Network Microsegmentation Help?
It is simple.
Micro-segmentation is about protecting what’s inside your network from attacks that could already be inside, or have the power to move East-West, and won’t be stopped by your perimeter firewall.
It is about moving away from a flat network to a properly segmented network. It will allow you to implement the lateral security controls you need to pigeonhole an attacker/malware to a particular area of the network where the initial foothold was gained. That's it.
To achieve actual segmentation, the hosts in one VLAN should not be able to reach every port of every asset in the other VLANs. In true network segmentation, you would set the default gateway of the VLAN on the switch to the firewall where the traffic can be further scrutinized based on specific ports, protocols, and traffic direction.
-
Some Examples of Micro Segmentation
• Environment Segmentation: On a basic level, your first step when approaching micro-segmentation might be to separate environments, such as separating out development and production. This is a low-hanging fruit option that can reduce risk fast.
• Ring-fencing Crown Jewels: Another option is to start from your most critical assets or sensitive data, your crown jewel applications if you like, and ring-fence these away from the rest of the data center. This allows you to protect your most important assets or most sensitive data first and foremost.
• Micro Segmentation by User or Role: Segmenting by user or role in line with the principle of least privilege
• Micro Segmentation for Compliance: Segmenting all the information that’s in scope for any relevant compliance regulations.
Just on a side note:
Some solutions will even allow you to separate data that shares the same tier, all the way down to the process level, Layer 7.
There are many more logical grounds on which you can draw your micro-segmentation plan.
-
Some Key Insights
VISIBILITY HOLDS THE KEY TO MICRO-SEGMENTATION!
The most important thing to remember when looking at micro-segmentation is that you just can’t secure what you can’t see. Without true visibility from the start, you’re left using trial and error to create micro segmentation policies, or remembering from memory what exists and where. That's not okay!
As the more granular segments are broken down, you need to better understand exactly-- how data flows and how systems, applications, and services communicate with one another. To see the maximum benefits of micro segmentation, you want to start with a complete application map, including all dependencies within the network, and use this as the foundational step in forming a micro segmentation strategy.
You not only need to know what flows are going through your route-gateways, but you also need to see it down to the individual host, whether physical or virtualized. You must have the infrastructure and tooling in place to get this information, otherwise your implementation is likely to fail.
Once an organization has put the mechanisms in place to achieve visibility into data flows, this understanding will then start leading you to risk assessment and threat modeling. This will, in turn, help you start defining where to start and how granular to go with microsegments.
At next level, you would go at defining the blast-radius of possible attack, e.g., How far can an attacker go within this network (read, segment) if it is breached? Is there any critical asset, such as a user database, within that blast radius?
Once you have identified the high-risk areas or critical assets, you can then start putting micro-segmentation controls in place to address those risks.
By bulkheading sensitive areas of the network away from less-valuable and less-hardened areas, security architects lean on segmentation to thwart attackers from moving laterally and escalating privileges across networks.
The idea is to not only reduce the blast-radius of successful attacks, but to also give security strategists the freedom to spend the most money protecting the riskiest systems — without worrying about what happens when attackers gain a foothold in low-level systems.
-
You all may think that it is vulnerability management, that is needed to prevent the compromise of some mission critical servers in the environment and to prevent a much larger-scale network compromise. But it is micro-segmentation that will prevent it more often, than your vulnerability apparatus!
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM