WavebreakMediaMicro - Fotolia
Software-defined security can administer powerful policies that enforce granular rules while maintaining IT workload flexibility.
Network security is a growing problem in the enterprise: Infrastructure complexity, higher traffic volumes, more applications and data stores, and an unending array of threats put the business at ever-increasing risk. Enter microsegmentation.
CIOs and IT architects are rethinking traditional security approaches and embracing new technologies that can enhance a virtualized data center with greater granularity and responsiveness. Microsegmentation promises a series of benefits for the business, but imposes some prerequisites and potential pitfalls that IT professionals should understand.
In basic networking parlance, segmentation breaks an Ethernet network into subnetworks (or subnets) which allow network traffic to be organized and contained rather than sending every packet to every node all the time. Network segmentation offers elementary tools to boost network performance and introduce simple security in traditional static networks.
Network microsegmentation builds on this elementary idea by abstracting new layers of virtualization and control. With microsegmentation, the data center is divided (segmented) into logical units, which are often workloads or applications. The IT organization can then tailor unique security policies and rules for each logical unit. The idea is to significantly reduce the surface available for malicious activity and restrict unwanted lateral (east-west) traffic -- such as an attack -- once a perimeter is penetrated. Since policies are tied to logical segments, any workload migration will also move the security policies. This eliminates the tedious, error-prone manual configuration processes that often lead to security flaws.
"Microsegmentation is the application and enforcement of security functions as close as possible to the given application," said Pete Sclafani, COO and co-founder of 6connect, a software and services company that offers network resource provisioning and automation. "In the past, this has been centralized 'up the stack' so there are quite a few gray areas that open the door for security issues even if policies are properly configured."
Network microsegmentation isn't new, but its adoption has been sparked by software-defined networking (SDN) and software-defined data center (SDDC) technologies capable of abstracting hardware. Before the advent of software-defined technologies, any sort of microsegmentation initiative would require traditional physical firewalls and VLANs. The manual effort involved in configuring internal firewalls for east-west traffic control -- and then maintaining those configurations over time -- was simply too complex and costly. By contrast, SDN and SDDC capabilities support on-demand provisioning, the flexibility to change parameters, and the ability to enforce security across each virtual machine.
Benefits of microsegmentation
Traditional firewalls can remain in place to maintain familiar perimeter (north-south) defenses, but microsegmentation significantly limits unwanted communication between workloads (east-west) within the enterprise. This zero-trust approach addresses the dramatic shift in network attack patterns where attackers penetrate the perimeter and bide their time to watch activity, inject malware and gain control of key systems -- finally to steal valuable data or disrupt business activities.
Software rules-based behavior also allows microsegmentation to support fast, flexible and granular security configurations around each workload. IT administrators no longer need to manually configure firewall and router rules on individual hardware devices and risk mistakes and oversights that might cause new vulnerabilities or impair performance.
"Security policy changes in a centralized architecture had significant risk of service interruption even among services that weren't directly affected," Sclafani said. "There are so many documented experiences where someone updated the firewall rule set, but caused unintended consequences for a different downstream application that should not have been affected."
Better security and fine-grained control translate into simpler network designs. For example, network hairpinning occurs when two (or more) hosts within the same subnetwork cannot communicate with each other directly -- each must communicate by sending traffic out of the subnet first, and then directing that traffic back to the intended destination server within the subnet. This allows the network to implement common points of security, but the traffic essentially makes a "hairpin turn" on the network. Hairpinning raises traffic levels but doesn't really benefit the environment (other than allowing otherwise isolated endpoints to communicate). Microsegmentation allows direct east-west communication between systems and eliminates the need to hairpin traffic; simplifying the network and improving network performance.
In addition, the microsegmentation security policies established for each workload are now tied to the workload rather than the network hardware. This means any microsegmentation rules applied to a workload, usually installed on a virtual machine, will follow the workload. For example, workloads can be migrated to balance computing loads or support systems maintenance without the need to reconfigure or create new security rules. This can also translate to better risk mitigation, security auditing and compliance for the enterprise.
"Microsegmentation is about moving faster but securely," said one IT leader from a major sporting goods retailer. "Using a software-based approach that interacts directly with the hypervisor means we can templatize [sic] our security approach-- we can create 'cookie cutter' system builds that include security as a base ingredient from the start. It's not a random addition; now it's part of the recipe."
Microsegmentation is a powerful concept poised to facilitate better security and agility in emerging software-defined environments, but it's not a cure for every network ailment. Business and IT leaders must weigh some of the potential downsides to network microsegmentation deployment before committing to the technology.
Complexity is perhaps the most insidious pitfall. "It can get complex to model the application behavior and the right set of firewall rules," said Mahesh Kumar, head of marketing at Arkin Net. "Too granular and it becomes hard to manage. Too broad and it defeats the purpose." In addition, it's important to account for all workloads -- even idle or powered-down VMs. Otherwise an idle workload may come online in lockdown without the ability to communicate properly. Complexity issues translate into potential connectivity and availability problems for enterprise applications.
Consistency arises as a second concern. Since microsegmentation basically distributes security policies and rules to workloads, it's important that those policies and rules follow consistent guidelines. Without guidelines or best practices, it's possible for policies to shift between workloads or locations. Consistency problems can result in performance or availability issues that are challenging to troubleshoot.
If network microsegmentation appears to be the answer to your complex IT workloads and application security, investigate the monitoring and management processes involved to make it a success.
The added layers of management and control used to implement microsegmentation can have a potential impact on network and application performance. Kumar echoes 6connect's Sclafani's observation that all applications may not be suited for microsegmentation -- especially low-latency performance-sensitive applications (such as real-time trading tools).
Finally, don't overlook the organizational effects of microsegmentation, which tends to span computing, networking, and security disciplines. Different groups can make changes that affect security, and this can lead to communication breakdowns, conflicts, and pushback from those traditionally siloed groups. Clear understanding and interaction between these groups is essential for long-term adoption and success.
"It takes time for the people part to catch on," said the sporting goods retailer. "You need to think differently and be open to new ideas; and there is a training factor."
- SDN is Dead! Long live SDN! –Cumulus Networks
- SDN Across the Data Center and the Network: Expert Insight –SearchSecurity.com
- How Data Centre Network Fabric and SDN Intersect –SearchSecurity.com
- What your Network Security Strategy Should Include –Aruba Networks