Micro-Segmentation

By Fredrik Lindstrom ·

In my previous blog post, I discussed the importance of segmentation and network design. Moving along in the series brings us to micro-segmentation. This concept goes beyond just segmenting past the traditional network segments, to actually segmenting hosts from each other on the same or different networks. 

Traditionally, micro-segmentation has been done with the help of host-based firewalls. Host-based firewalls have been around since the beginning of firewalls in one form or another. The main benefit of a host-based firewall is the ability to granularly control access to and from a host.

Host-based firewalls also have some serious drawbacks , including provisioning, management, cost and performance. Perhaps the most serious issue with the host-based firewall approach is that if an attacker manages to get access to the server, the first task is to disable the firewall. The protection is then gone, giving the attacker full access to and from the target host. 

The combination of drawbacks with host-based firewalls has led to slow adoption in data centers. Data centers, which normally only protect north-south traffic and not east-west traffic, are where most organization’s critical data lives, and where the need for micro-segmentation is the greatest. 
    
The solution to this problem is the software-defined data center (SDDC), which is the virtualization of network functions known as network functions virtualization (NFV), and the dynamic network configuration known as software-defined networking (SDN). The SDDC combines the SDN and the NFV to provide a dynamic, automated and secure network that is scalable and easily managed.

SDN provides the micro-segmentation for the data center, allowing each virtualized host to operate within its own network domain. The NFV allows for network services, such as next-generation firewalls, to be inserted into the network process chain automatically when a new virtual host is provisioned. With the help of virtual asset tags, or labels, a virtualized host can be provided as a predefined security policy based on the asset type of the host. Keep in mind that database, web and email servers all need different types of access. All the policies are outside the actual host, so in case of a compromise, the attacker cannot disable the network functions, including the firewall assigned to the host.

It is even possible to add automated quarantines when a host fails a security scan or malicious activity is detected. The server administrator removes the host from the available server pool and puts it in quarantine to remediate almost instantaneously.

SDDC is the future of networking and security, and is required to build a scalable, secure and manageable data center, whether in the cloud or on premise in a traditional data center.