It seems almost every day there is a new story in the news about a large business getting hacked and often personal data being leaked. Talktalk were recently a victim of this, but the most extreme I’ve heard about is a hack where ATMs were throwing out money. So how does this happen?
Traditional network design takes what I like to call the “Bouncer on the Door” approach. Imagine going to a nightclub, to get in you have to get past the bouncer first This can be a pain sometimes, depending on whether you’re on the list, are dressed the right way etc. Bouncers are an effective way of weeding out obvious trouble makers. However, trouble makers still get into clubs and once in they can get up to all sorts of mischief. This is the same approach as putting a firewall on the edge of your network. It protects the north-south traffic coming in and going out of your datacenter. however, once someone has hacked the firewall and found a way in, they are free to hop from machine to machine and exploit the rest of the datacenter. Yes you can put more firewalls inside the datacenter, but this means an increase in the number of VLANs to manage, and also the number of firewall rules going through the roof. Just like you could employ more and more bouncers to walk within a nightclub, unless you have a bouncer for every clubber, they are inevitably outnumbered.
So micro segmentation takes a different approach. This is more analogous to a hotel. Anyone can get into a hotel, but you can only get into the hotel room which you have a keycard for. Who cars if you’re walking around the lobby? Micro segmentation means applying a security policy to each virtual machine on the hypervisor as shown in the image I’ve knocked up below:
Cloud and Micro Segmentation
Integrating micro segmentation with a cloud technology makes the whole process even simpler. For each application blueprint you have in your arsenal, you can decide which security group(s) it should be part of. Then whenever the application is deployed, the security configuration is automatically applied. Bringing in robust life-cycle management means that when this service is no longer required, everything is torn down, the configuration is automatically wiped, thus removing any configuration sprawl. You can also then start to look at applying different security rules to your integrated role based access control (RBAC), so that you can apply tighter controls for more vulnerable employees (contractors as an example). Automation and governance is key here.
There are a number of different solutions to this. The most prevalent and elegant is with VMware NSX. Working at VMware, I see customers with these same challenges every day. I then watch the effect of this going through this micro segmentation deployment model from dev/test into production very rapidly. Large customers like eBay, Rackspace and Paypal have been using this in anger are already reaping the benefits.
NSX applies micro segmentation by bringing it’s distributed firewall into the hypervisor. Traffic from the outside world goes through the physical firewall through the physical network into the vSwitch as usual, but then traffic is directed through the distributed firewall, which runs in the kernel hypervisor for near line-rate performance. NSX is a platform for layer 7 services, so application aware solutions like Trend Micro can be inserted as the next step before routing the traffic to the virtual machine itself. NSX applies policy to virtual machines with security groups, these allow you to group your services and create repeatable configuration for different services or areas of the business (HR, Contractors etc.) You can also add tags to your virtual machines so that they are brought into a security group with specific configuration and policy as soon as they are spun up. Any virtual machine without a policy attached to it simply wont get access to the network, this is what we call a Zero Trust model.
This has been a very basic overview of micro segmentation and VMware NSX. Check out the content on the VMware site for more details.