Microsegmentation – Bigger,Better than Segmentation?
Microsegmentation like that provided by vendors CISCO and VMware state that traditional perimeter defenses akin to medieval castles walls no longer work. The problem is that threat actors are able to get through the castle gates (firewalls) and once in, are able to evade the castle guards (IPS). Then threat actors can wander around freely to plan their attack, evading the Kings’ soldiers (IDS). Microsegmentation will fix this.
As I see it, the problem is that a perimeter defense never worked, not in medieval times, and certainly not today.
Edinburgh Castle Flying the British Flag
If we look at some of the greatest walls in history, we see how true this is. The old Scottish city of Edinburgh was built on top of a giant rock, rising 260’ up into the air. On top of the rock they build high stone walls, enclosing the Old Town. Looking at Edinburgh Castle, it’s hard to imagine that any invader could penetrate its defenses. Especially as inside were hordes of Scotsmen, the fiercest fighters in the world. I am sure you are familiar with the famous saying, “if it’s not Scottish…its crap!” But when the English attacked Edinburgh the siege didn’t last six months…or a month…only four days. And the English took over Edinburgh not just once but four times.
Microsegmentation is supposed to be a continuation of segmentation. So if segmentation is good, is Microsegmentation better?
Cisco explains that normal segmentation is very coarse and is often only done at the subnet level. Their other complaint is the segmentation primarily protects north-south traffic. The argument is that today with the expansion of n-tier distributed systems and massively parallel architectures, east-west traffic has increased exponentially. Threat actors they say primarily now travel east-west.
The problem I have with these statements is that every network engineer I know segments their network more than just at the subnet level and their segmentation is not limited to just north-south traffic. Since 2000, secure networks have been built by segmenting traffic at the switch port level from server to server, radically limiting east-west traffic. This approach is very effective and combined with a practice known as zero trust is very effective, but it is a manual, static, and intensive process.
The idea behind this type of segmentation was that we knew it was impossible to stop all intruders, so it made sense to segment the network so that only white-listed traffic flowed on any segment. Zero trust in my mind doesn’t really mean “trust no one” because then you would have no traffic on your network. A better description is “Trust who you know and no one else.” By controlling traffic east-west, it was possible to slow down attackers, like pouring molasses on the floor. Attackers would either be so frustrated they would just leave. Or they would be moving so slow we could catch them.
The idea of “zero trust” is important. I once asked a famous mountaineer why he cut his tooth brush in half, noting “That can only save ½ ounce.” The mountaineer smiled. “Sure. But it reminds me while I am packing to leave out everything unnecessary. Cutting my tooth brush in half typically lightens my pack by 10 pounds!
Today, most opens systems, servers, routers, and switches ship with all the security controls open. It is up to the admin to lock down every port and access control that isn’t needed. This process is often known as “hardening.” It is a tedious process and error prone. Some systems like FreeBSD ship with everything locked down. Admins open up only what they need. While this approach is initially more work, it ultimately provides a more secure network and is easier than coming back and closing up all the holes.
Microsegmentation for Dummies
Microsegmentation brings three important things to the table: 1) support for network virtualization; 2) support for software defined networking; and 3) automation. Microsegmentation enables administrators to move from a manual, static, tedious process to a dynamic automated system. It enables Internet at Scale.
Microsegmentation for Dummies is a great read.. While it’s written by VMware, it is by no means specific only to VMware and NSX. The book provides a really good background on the problem and talks about all the new concepts used in Microsegmentation. It’s a great read.
Persistence is an important concept in Microsegmentation. Working with virtual machines, virtual networking, and software defined networking, you can leverage automation to achieve all the benefits of segmentation without creating all the manual ACLs. You can create policies that affect workloads. Polices follow applications, databases, and web servers. Persistence means that virtual machines can move dynamically, while the policies follow the workloads. This is something you can’t do with static network ACLs at layer 2.
Ubiquity is a new idea to Microsegmentation. Ubiquity is a very important concept in security. Conventional wisdom has been to create different security levels for different applications. Initially this makes sense. Someone getting a library card doesn’t need the same security as someone getting food stamps, who doesn’t need the same security as someone getting Medicaid, who certainly doesn’t need the same security as a brokerage account holding your IRA. But this traditional model suffers from the same problem as segmentation. Threat actors move east-west, not north-south. If you start issuing low levels of security, threat actors get the easy entitlement and then work their way up the chain to escalate their privileges. Ubiquity says that you start with the highest level of security possible and apply that to everything.
Cisco and VMware are the big boys on the block, and provide complete Microsegmentation strategies, but smaller vendors like Illumio and vArmour provide some excellent solutions as well.
If you are a VMware shop, then their version of Microsegmentation is for you. VMware leverages their entire NSX infrastructure and their proprietary software defined networking to make segmentation effortless. It’s all built into the infrastructure. You can create dynamic policies that follow your workloads. It’s a beautiful thing. But remember that their solution is designed for the VMware hypervisor and virtual networking.
Cisco Microsegmentation is part of a bigger strategy. Cisco ACI, or Application Centric Infrastructure, is key to their Microsegmentation strategy. It allows policies to separate segments from broadcast domains. It uses a new construct they call End Point Groups (EPG). This allows designers to build groups of end points regardless of IP address or subnet. Cisco EPGs can be a physical server, a virtual machine, a Linux container, or even a mainframe. This make the solution very flexible and vendor independent.
The components of Cisco’s Microsegmentation include their line of virtual switches, ACI, EPC and APIC, Cisco’s Application Policy Infrastructure Controller.
Illumio Adaptive Security Platform
Illumio doesn’t bill themselves as a Microsegmentation vendor, but their adaptive security platform delivers all the benefits users are looking for in segmentation. Their goal is to specifically address the problems with a perimeter security strategy, address east-west traffic, and protecting end points.
Illumio’s Virtual Enforcement Node (VEN) and their Policy Compute Engine (PCE) implement dynamic automated policies that protect traffic to and from virtual machines, bare metal servers and the cloud.
Illumio is vendor independent supporting VMware, KVM, XEN and Hyper-V hypervisors, bare metal servers, private data center, public clouds like Amazon, all versions of Windows and virtually every major flavor of Linux.
vArmour wants you to know that Microsegmentation is not easy. In fact, they advertise four major pitfalls. But they offer a comprehensive ebook that explains how to overcome these common problems.
- Pitfall #1: It’s too complex to deploy and manage
- Pitfall #2: You need to buy and stitch together multiple products
- Pitfall #3: It’s resource intensive
- Pitfall #4: It cannot scale to support multi-cloud environments
vArmour takes a different approach than VMware or Cisco. They are a software only solution which is built for virtualization and cloud environments, whether it’s on-premise VMware, Nutanix, Openstack or KVM, or public cloud like Amazon. Like the other solutions, they are workload focused, so that policies are persistent and travel with the workload.
While vArmour is very focused on Microsegmentation, they play more in the security space by providing continuous monitoring and deep visibility into network traffic up and down the stack. The solution comes with full analytics to take advantage of all the data.
Their architecture is called the vArmour Distributed Security System and is comprised of the vArmour Fabric, vArmour Analytics, and vArmour Shared Defense.
Microsegmentation is definitely a continuation or extension of the idea of segmentation. So if your current segmentation plan is very coarse and only north-south, then you should like all the ideas of Microsegmentation, as they will help improve your internal security by limiting east-west traffic.
If you already segment your network on a granular level and limit east-west traffic, then you are going to LOVE Microsegmentation, because you will be able to leverage automation to make your job so much easier.
Microsegmentation leverages virtual networking and software defined networking, but it also bring many best practices that will help us secure our networks on the inside, while we figure out how to attackers on the outside.