You invested in a firewall to protect your network and systems, and years ago, this was a very effective security strategy, but in recent times, this has changed, and the old models of deploying security are no longer very effective. A traditional firewall is like the exoskeleton shell on a crab, hard exterior but soft in the middle. Imagine that firewall is suddenly gone. How secure is the soft middle of your network? (Likely not very…) Now imagine we could have not one large firewall, but lots of them, one for each server in fact. Now that equates to much more protection, in fact, everything is now “armored” with its own firewall. To do this with traditional firewall hardware solutions would be extremely expensive, however, with micro-segmentation, it is possible to provide this protection cost-effectively.
Micro-Segmentation also referred to as a Zero-Trust model, is the logical separation of network segments via software in a virtualized environment. The ability to achieve micro-segmentation was limited by hardware costs and complexity, but in today’s virtualized datacenter it is now achievable to control policies on such a granular level that the server will only have access to what is explicitly allowed.
A large part of any cyber-security attack is pivoting to other servers, once they have a foothold in the network. This commonly means they are jumping from server to server in order to gain additional access and further their attack. Server to server traffic within the same segmented area, or East-West traffic, can present a unique security issue. In a virtualized environment, Micro-Segmentation can address your inability to control server to server traffic on a granular level using a software-based approach.
In the case of the traditional firewall deployment, the traffic that is being controlled is limited to North-South traffic. North-South traffic is the traffic that is leaving and entering the firewalled network segment and is mostly categorized as a client to server traffic. But what about the server to server traffic within these separated network segments? How is this traffic being monitored and protected?
In a traditional environment, if a server gets exploited then this server will have unfiltered access, from a network standpoint to all other hosts within its network segment. There are acceptable levels of risk that can be justified for your typical end-user traffic in a tradeoff for functionality, but when dealing with your mission-critical servers, and the data on them, these levels of risk might not be as easy to write off.
It is important to stay one step ahead of the advanced threats that target today’s world. Granularly controlling the access that servers have to each other on not only a subnet basis but a server to server basis greatly improves the overall security posture of any network. With micro-segmentation implemented, if a server gets compromised, it will have limited access into your network and will help limit any pivoting that traditionally was allowed. The additional level of firewalling that is provided by micro-segmentation will slow down any attacker and give you more time to identify the compromise, and limit the damage.
In today’s virtualized data center, Palo Alto and VMware are on the forefront of the micro-segmentation technology. Both Palo Alto and VMware provide integrated solutions to give the granular level of control that is required for a proper micro-segmentation deployment. VMware provides the capability to assign firewall policies on the VM level. Whereas Palo Alto brings the next generation firewall capabilities and integrates with the VM level firewalling capabilities to build policy sets unique for each specific server or subset of servers.
In the Verizon 2016 Data Breach Investigations Report, it was reported that the time between a compromise and data exfiltration can be as little as seconds to days. Attackers are moving faster and the faster they are the harder it is to find them in your network before it is too late.
Contact Netrix today to learn more about how micro segmentation can work for your organization. You are also invited to our free, Zero-Trust Security workshop on April 19th to gain hands-on experience with cybersecurity prevention. Register and learn more here.
Written by: Grady Negronida, Engineering Consultant
Resources:
Verizon 2016 Data Breach Investigations Report
https://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
