In an era where the network edge faces the highest traffic, organizations rush to add more robust security yet hesitate to take on the long-term endeavor known as microsegmentation. Microsegmentation is about identifying your organization’s most valuable network segments, establishing strict communication policies, and becoming the master of your network flows. Unlike traditional network segmentation, which is vital to network performance and management, microsegmentation further addresses critical issues related to security and business dexterity.
As the zero trust architecture‘s core technology, implementing microsegmentation isn’t about heavily restricting communication within a network. Instead, by enhancing visibility into how data flows, network administrators can work with business and security analysts to create application enabled policies. Success in implementing microsegmentation for your organization means tagging traffic, servicing regular business communications, adapting to threats, and denying all other anomalies.
This article dives into the approaches to microsegmentation, steps your organization can take to implement microsegmentation, and why you can move towards preventing lateral movement today.
Approaches to microsegmentation
Ten years after the conceptual roots of zero trust, the cybersecurity industry has four methods for implementing microsegmentation: network fabric, hypervisor, agent, or NFGWs. While all four approaches can help your organization move towards microsegmentation, some are critical to comprehensive network security.
The first approach is doubling your network fabric for microsegmentation. Gartner calls fabric-based infrastructure (FBI) the vertical integration of hardware and software, providing “real-time” management access to your infrastructure. For traditional data centers (DC) and software-defined data centers (SDDC), using the network fabric can be an essential enforcement point. However, implementing microsegmentation via the network fabric in cloud environments is a different story.
Utilizing a Hypervisor
Another route is microsegmentation built-in at the hypervisor level. Like the fabric-based approach, a network hypervisor, also known as a virtual machine (VM) manager, serves as an enforcement point for traffic across your network of devices. Also, like the network fabric, the hypervisor is amenable to an SDDC environment.
Utilizing a hypervisor can eliminate the need to manage and patch software for each machine. This approach also facilitates a common practice for microsegmentation–the natural collaboration between security analysts and network administrators.
Outsource Endpoint Protection
The third method is seeking assistance from vendors specialized in endpoint protection. This agent-based method translates to real-time protection of your policies. Outsourcing endpoint agents would interfere with the collaboration between network and security forces in-house but is an organizational choice. Agent solutions along with NGFWs can work across all three environments.
Major endpoint security vendors include BitDefender, Check Point, CrowdStrike, Sophos, Symantec, Trend Micro, and VMWare.
Raise Next-Generation Firewalls
Lastly, and probably the most advanced microsegmentation method is next-generation firewalls (NGFWs). NGFWs work across all three environments and provide security up to Layer-7, making them a valued tool for deep-packet inspection, application controls, and IDPS. While not initially intended for the cloud, NGFW vendors are increasingly offering their security solutions in the form of firewalls as a service (FWaaS).
Major NGFW vendors include Barracuda, Cisco, Fortinet, Huawei, Juniper, Palo Alto Networks, and SonicWall.
Environment and security vs. microsegmentation
When considering different approaches to microsegmentation, the network’s environments and security requirements are handy indicators. Currently, assets are traveling from traditional DCs to SDDCs and public or multi-cloud environments without further safeguards.
Application-level policies are quickly becoming the standard for network security, making the first three approaches lesser than without the power of NGFWs. The network fabric and vendor approaches can only offer protection for layers 2-4, while utilizing NGFWs is the only approach that identifies threats and full Layer-7 visibility and enforcement security. Organizations enabling multiple methods only add to their security posture, potentially stopping malicious traffic at the network fabric or hypervisor levels before it even reaches your inner firewalls.
Best practices for microsegmentation
For microsegmentation, it is as much about the process as it is the technology. Fail to follow the steps meticulously, and you’ll only prolong the project and cause unnecessary headaches.
No Traffic Left Behind
Microsegmentation means unblemished visibility of north-south and east-west traffic flows. During the network discovery stage, the information gathered should be on the applications, workloads, and active connections between them. Sources of additional could be configuration management databases (CMDBs), orchestration tools, system inventories, traffic add events logs, firewalls and SIEM, and load balancers.
Depending on your IT team’s size and resources, vendors also offer third-party or configurable software for mapping transaction flows across on-prem and cloud network infrastructure. Mapping these flows is critical as you don’t want to inhibit everyday business communication while shutting down unnecessary connections.
Move Towards Zero Trust
Microsegmentation and the zero trust architecture go hand in hand. Your attack surface, often seen as your network perimeter, is unmanageable in the current networking boom. By meticulously logging and identifying the “protect surface,” your most valuable segments, gives administrators clear guidelines for the steps to follow.
Your protect surfaces, or as Palo Alto Networks would say, your data, applications, assets, and services (DAAS), are the priorities. These segments are typically crucial to the organization’s survival, compliance-related, or exploitable. Once defined, the work of establishing segmentation gateways or NGFWs begins.
In line with the zero trust framework, the end goal must be whitelisting. With visualization technology to assist in managing policy rules and threats, the result of microsegmentation is a network that denies any anomalies. All traffic is known, tagged, or verified, preventing any potential vulnerabilities related to trust.
Tag Your Workloads
Tagging workloads is the next major upgrade for any organization. While security professionals once wrote IP and subnet-based policies and relied on network constructs such as VLAN/IP/VRFs, those days are becoming a thing of the past.
Identifying and labeling workload tags inside your network is an incredible value-add when considering automated solutions for tagging existing and new application workloads. With the appeal of scalability and expansion of cloud computing, workload tagging allows for formidable security and business agility. Workload tags for organizations often include:
Create a Comprehensive Policy
A comprehensive policy requires strict security policies and threat detection. And in the case of microsegmentation, these policies exist within the network at your micro-perimeters. Features of your entire micro-segmented network of policies must include controls like app-id, user-id, file-based restrictions, URL filtering, and threat prevention.
There is no industry-wide standard for testing your policies before moving to enforcement. Because the nature of zero trust infrastructure and microsegmentation is custom to the network, it is an in-house question of whether it meets your requirements. Not prioritizing a comprehensive policy can leave your team struggling to segment HTTP/2 applications and SSL decryption or at risk of attacks like DNS tunneling.
Enforce Adaptive Policies
While microsegmentation can help establish a clear picture of your existing network, it also needs to be an adaptive solution. This step requires the full vision of threat prevention, malware and phishing, and firewall logs in real-time. With new IPs continually moving in and out of networks, automated tag-based systems are the future.
With automated and machine learning technology, those logs exist with granular filtering, and your system can dynamically give tags to previously unidentified workloads. An example of this might be requiring MFA for an IP address that is labeled compromised.
Initiate your action plan
In John Friedman and Illumio’s “The Definitive Guide to Micro-Segmentation,” you can get a deep insight into the technical details of why, what, where, when, and how to implement microsegmentation. As for steps to implementation, Mr. Friedman offers twelve that we briefly describe:
|1||Big Bang not required||No quick action is necessary. Approach gradually, with attention to process.|
|2||Select the project team||Typically includes: executive, security architect, tech lead, and project management (consider vendor).|
|3||Train the team||Educate all team members about the purpose and functionality of microsegmentation.|
|4||Design documents and project plan||The leap to a long-term plan for complete microsegmentation execution.|
|5||Install microsegmentation solutions||Begin testing microsegmentation on applications with feedback.|
|6||Integrate logs, events, and threats||Large scale rollout integrating log and event management tools to monitor network traffic.|
|7||Prioritize application groups||Rank and tag application groups based on security/business priority and ease of microsegmentation.|
|8||Discovery and visibility||For each application group, you now repeat the following steps to better understand traffic, model potential policies, and then test policies. Once it’s time to enforce those policies, the rapid response period begins for ensuring all is working as planned.|
|11||Be ready to fix problems|
|12||Extend and refine||Once implemented, don’t disband the project team. A post-rollout plan must include accountability for the new system|
The benefits of microsegmentation are endless when it could prevent or buffer attacks compromising sensitive data and assets. With analysts estimating 70-80% of traffic flows east-west on a flat network, there is nearly a free-range communicate-a-thon between users, applications, and devices playing out in your network. This reality opens the window to malicious actors, who can move laterally from a vendor portal to mission-critical data and systems.
Besides preventing lateral movement in its tracks, implementing microsegmentation is also an efficient use of your organization’s time. Security professionals know the days of protecting the entire attack surface are short. By defining the protect surface, protecting what’s most important becomes palatable while ensuring your security meets all compliance standards.
Mastering your network traffic
Microsegmentation is truly about mastering your network traffic. By visualizing network segments’ connectivity and establishing granular policy and adaptive management around segments, preventing lateral movement is no problem. Of course, the road to complete network microsegmentation is not easy. It requires ample time, planning, and resources to conquer the challenge.
If done right, the benefits of implementing microsegmentation are invaluable.