Data center transformation has delivered better resource utilization, scalability and automation for data center environments. While software-defined networking (SDN) and automation platforms can tie in network security, the options have been largely inflexible and static, limiting the amount of security automation that can be delivered. This has become even more apparent as DevOps environments continue to grow.
Micro-segmentation as a concept has been around for several years. It has recently become more mainstream with organizations now dedicating budgets and personnel to micro-segmentation projects. Micro-segmentation itself is really an evolution in network security. While many of the concepts (i.e. private VLANs) have been around for years, the implementation and use of these has evolved with micro-segmentation.
Unlike the more static solutions, these are primarily software-based platforms that can tie in to existing automation workflows with the ability to create and enforce zero-trust policies throughout these networks.
In a nutshell, micro-segmentation offers a more granular method for separating workloads and controlling application in these cloud environments. Individual workloads can be isolated using a zero-trust model with whitelist controls enabled for specific network and application flows between workloads.
Products and features such as firewalls, IPS, VRFs and VLANs have long been used to provide segmentation as a common best practice. While these can shrink the attack surface, the operational aspects can prove to be difficult. Traffic must be hair-pinned to firewalls, and there is a lack of granular controls to filter the east-west traffic inside of a VLAN.
Getting visibility and telemetry can also be an issue, especially for east-west traffic. As a result, assets requiring separation are often placed in different VLANs. This leads to the creation of new firewall rules, IP subnets, routing and default gateways. Because of the operational complexity, this can eventually become unmanageable.
This does not mean you should rip out all of your physical security appliances or discontinue the use of VRFs or VLANs. Physical firewalls performing edge functions such as NAT, anti-malware, antivirus and proxy services still have their place and role to play. That role may be at the internet edge or other aggregation points, such as the data center edge. However, it can very quickly become cost-prohibitive to deploy at every top of rack, and a re-spun virtual version of a physical firewall is simply not the right fit for virtual environments.
Often the decision for how to implement micro-segmentation comes down to trust and enforcement. Deciding where the trust boundary should reside (via the network or an agent) is something many organizations face. Second is how the policy can be defined and the enforcement methods.
Defining and deploying an appropriate policy is often one of the biggest hurdles for controlling east-west traffic within the data center. To ease these pains, declarative intent-driven policies are starting to be used. Policies are built based upon the end goal: isolating production from development, compliance-bound applications and application groups. The enforcement of these can also go beyond the use of Layer 4 ports to granular enforcement based on the application traffic.
Preparing for micro-segmentation
A few questions that may help in the planning process:
- Who is your hypervisor vendor(s) of choice?
- What operating systems are in use for your workloads?
- How will you address security for your non-virtualized hosts?
- What type of enforcement do you desire (Layer 4, Layer 7)?
- How will you gain east-west application telemetry?
- How will you define these policies (intent)?
- Where is your trust boundary?
- Is the system a platform? Does it offer additional security benefits?
- How will you integrate with application and cloud automation systems in use?
- What is your long-term cloud strategy?
- How will you use this solution to help enable your DevOps environment?
Data center transformation efforts have resulted in numerous benefits for networking, compute and automation. Micro-segmentation solutions can offer methods for distributing intent-based policies and automating segmentation across the data center and cloud – augmenting DevOps workflows instead of hindering them.