By Jordan A., Technical Evangelist Squad
In this article, we wanted to address a topic that is becoming increasingly important to our customers: microsegmentation.
In security practices, particularly with the advent of Zero Trust and the emergence of microservices infrastructure, we are seeing that more and more customers are encountering real difficulties in keeping their security policies functional and scalable. That is why we will begin by taking stock of existing practices, then we will see how to move from VLAN-based network segmentation to effective microsegmentation.
There are several solutions that address microsegmentation in various ways: with agents, using hypervisors, or even through network equipment. We will try to shed some light on the different advantages and disadvantages of these methods.
Finally, we will conclude this article by discussing the new partnership between Squad and Illumio, which will enable our consultants to develop their skills and expertise in one of the most widely used microsegmentation solutions among our customers today.
SUMMARY
- Current situation and Zero Trust
- Network segmentation
- How microsegmentation works
- Example of microsegmentation
- The different approaches to implementing microsegmentation
- Official Illumio Partnership
- Conclusion
Current situation and Zero Trust
For several decades, IT security has focused primarily on perimeter defense with filtering rules based on authorizations or prohibitions on data flows at the entrances and exits of data centers. However, data centers have evolved, with more and more cloud solutions, SaaS (Software as a Service) tools, BYOD (Bring Your Own Device), and remote working.
In addition, the use of microservice architectures, replacing application "monoliths," has also led to an increase in workloads, involving additional complexity and greater requirements in terms of the granularity of security rules.
To address these new uses and needs, filtering solutions located within the data center itself, particularly for east-west traffic, have emerged. Among these tools is microsegmentation.
It should also be noted that Zero Trust is a security model that is increasingly popular among all players in the sector. Indeed, we consider that no user or service is 100% trustworthy. Thus, if one of our resources has been compromised, it will not be able to compromise all the other resources in our information system.
Network segmentation
Until now, VLANs have been used to segment a company's network, in particular to logically isolate different departments (for example, to prevent marketing employees from accessing accounting servers). This means that devices belonging to the same VLAN can communicate with each other without any particular restrictions, while those located on different VLANs cannot communicate (except via inter-VLAN routing).
However, even when using Private VLAN and VXLAN technology, we are faced with the problem of securing communications within a single VLAN. It is still possible to implement individual firewall rules on each server, but once the number of devices exceeds a certain threshold, this becomes impossible to manage.
Finally, we find another limitation concerning the creation of security rules. In fact, to identify equipment, we mainly use the IP address, and to identify services, we use TCP and/or UDP ports. But what happens if these elements change? All security rules and policies must be reviewed to match the new identification information for this equipment. Needless to say, this is a colossal task on a large information system (IS)...
In the diagram above, servers 1, 4, and 6 belong to the same VLAN, so they can communicate with each other without restriction by default. The same applies to servers 2, 3, and 5. However, communication cannot take place between two servers belonging to different VLANs (such as servers 5 and 6, for example) without setting up inter-VLAN routing.
How microsegmentation works
Microsegmentation no longer relies solely on IP addresses and ports to create security policies. In fact, this control can be based on multiple criteria: labels, antivirus status, software versions, the environment in which the workload is located, etc. Servers can thus be placed in "quarantine" if they do not meet certain criteria or if they no longer respond correctly, which prevents them from communicating with all other workloads in the IS.
The main concept behind microsegmentation is real-time flow mapping. This makes it possible to visualize all communications between different workloads, and in particular to gain a more precise understanding of exchanges between servers (or containers) belonging to the same application or to different applications. This gives us in-depth knowledge of application dependencies.
Security policies at the microsegmentation level are primarily created using labels based on the acronym RAEL to identify applications by:
- Role (Master Node, Database, Web Server, etc.)
- Application (Messaging, Drive, Directory, CRM, etc.)
- Environment (Production, Pre-production, Acceptance, etc.)
- Location (New York, Paris, Lyon, Madrid, etc.)
Communication restrictions are thus based on "labels" (names) rather than IPs or ports in order to allow for better understanding and greater scalability of the infrastructure.
Example of microsegmentation
In the diagram above, we see approximately three different applications, composed of several tiers: Web Tier, Business Logic Tier, and Database Tier. It is quite interesting to note that this is a microservices architecture with the different services separated from each other.
However, if these applications are located on the same VLAN, or in areas where internal communications are possible, difficulties may arise. Indeed, what would happen if one of these "bricks" were compromised? How can we be sure that the attacker cannot compromise other services or applications?
The diagram above shows the same microsegmented architecture, particularly at the middleware application level. Communications between different tiers are allowed, as they are necessary due to application interdependence, but other communications are blocked.
However, if you look closely at this diagram, there is no mention of a firewall. This is because security policies can be implemented directly at the level of each workload (as in the Illumio® solution), rather than on third-party equipment such as a firewall.
The different approaches to implementing microsegmentation
As you may have noticed, microsegmentation affects several aspects of the information system, including: network, security, and system. There are therefore several approaches to implementing this type of solution in your infrastructure.
Use of agents
We can find microsegmentation solutions based on the use of agents (such as Guardicore or Illumio) to be installed on the workloads that are part of the infrastructure.
This type of solution offers real flexibility, enabling the solution to check various elements of the workload (versions, OS, open ports, active communications, etc.) in an extremely detailed manner. Furthermore, in most cases, if agents lose connectivity with the central solution, they continue to apply the most recent rules.
However, the use of agents also has some drawbacks, such as operating system support and compatibility, or the potential impact on equipment performance (in terms of RAM and CPU).
Use of hypervisor components
We can find microsegmentation solutions based on the use of existing components on the hypervisor used. This solution is particularly useful when the infrastructure is based on VMWare, notably via its NSX component.
This results in independent operation of the protected resource, but its implementation is quite complex and does not directly support infrastructure components that are not virtualized.
Use of network components
As might be expected, Cisco is the main player in this market. With its ACI (Application Centric Infrastructure) solution, it occupies a position halfway between SDN (Software Defined Network) and microsegmentation.
This solution is attractive because it is compatible with many hypervisors and is based on a new spine-leaf architecture.
However, specific hardware is required to use Cisco ACI (Cisco Nexus 9000 series switches), which entails additional costs for replacing existing switches.
Squad is an official Illumio partner
Many customers have already joined the transition to microsegmentation in order to improve the security management of their IT systems. Squad has decided to partner with Illumio, recognized as one of the most effective solutions available today, with many French customers including Natixis, SalesForce, Société Générale, BNP Paribas, etc.
Regular sessions are held between Squad and Illumio to train and certify our consultants in the use and implementation of the ASP (Adaptive Security Platform), in particular through the Illumio ASP Specialist Certification for Partners.
With this in mind , Squad supports you in the transition and management of your Illumio microsegmentation solutions.
Illumio offers several advantages:
- Protection of 80% of data center and cloud traffic (East-West)
- Immediate detection of unauthorized activities and neutralization of breaches
- Reduction in the number of firewall rules by more than 95% within the data center
- Operates in virtualized, containerized, on-premise, cloud, or hybrid environments
Conclusion
Microsegmentation is not a recent concept, as it has been around for several years. It is simply consistent with the Software Defined movement, which consists of thinking about and using infrastructure as if it were software.
Regardless of the solution you choose, its implementation and administration must be carefully considered and tailored to your needs. However, it is more than likely that all large-scale infrastructures will move toward this type of solution in the near future.
