Firewalls have been in use since the late 1980s to protect networks from external threats. However, these traditional firewalls were only designed to segment the network into a few defined zones – the outside network where nothing is trusted, the inside network where everything is trusted, and perhaps one or more demilitarized zones (DMZs) for systems needing to communicate with the outside world and requiring a different set of rules to manage what traffic is allowed. These perimeter firewalls are like the walls of a castle but once an intruder is inside, they can run rampant and cause much destruction.
By Francis O’Haire, Group Technology Director, Data Solutions
More than 80% of network traffic in a data center is between internal systems – what is called “East-West” traffic. This traffic generally does not get inspected by a firewall and poses a significant risk if an attacker gets through or bypasses perimeter security. There is nothing to stop the lateral movement from a compromised system or device to others. In today’s world where sensitive data and resources are spread across data centers, branches, clouds, and mobile devices, perimeter security is not enough. There is no clearly defined perimeter anymore.
As things stand, there is no one security solution that is able to detect and counter every single threat. But what if you consider an entirely different way to approach security, one that prevents threats from exploiting a vulnerability? We are talking about controlling system access here. If you consider that threats and vulnerabilities are basically infinite, then you can think of system access as being finite, measurable, and provable. If you can control system access, then you have much more robust control over security. And this neatly introduces the concept of Zero Trust – the notion that restricting the access that threats have to your systems, involves implementing a Zero Trust environment.
The concept of Zero Trust security was first proposed in 2010 by Forrester Research and is an architecture whereby no system or user is trusted (whether inside or outside the corporate network) without being positively identified and authorized. To achieve true Zero Trust for traffic between all corporate systems, the use of traditional firewalls is not feasible as they are only designed to deal with a limited number of security zones or segments. The concept of “micro-segmentation” is necessary and this can ultimately deliver visibility and control of network activity from, and to, every device. Micro-segmentation involves creating controlled segments of isolated workloads within a data center or cloud deployment which enables the network to become more granular. And by making network security more granular, you make it far more effective. Also, micro-segmentation provides a massive cost/benefit insofar as it enables security teams to deploy custom security policies inside a data center using network virtualization technology, rather than having to install multiple physical firewalls. That said, the use of network virtualization is not always necessary in every case.
There are different approaches to achieving micro-segmentation with some being more effective than others depending on the environment. Let’s examine each of these approaches in more detail:
1. Agent-based micro-segmentation: As the name suggests, this uses an agent on each host or virtual machine to give very fine-grained visibility and control. In effect, every host on the network or in the cloud can be inside its own protected bubble with its own firewall rules appropriate to its role within the infrastructure. This approach is generally the easiest to deploy and manage and is hardware-independent being fully software-defined.
2. Hypervisor-based micro-segmentation: This achieves similar results but only for virtualized on-premise workloads. Under these conditions, all the workload traffic has to go through the hypervisor and network isolation and micro-segmentation can be done in the hypervisor itself. This approach leverages the functionality of the hypervisor’s virtual network components to provide visibility and micro-segment the workloads. It does not require an agent to be installed on each Virtual Machine (VM) and functionality typically depends on the hypervisor in use.
3. Network-based micro-segmentation: Network-based micro-segmentation is implemented using network devices as enforcement points. It relies on subnets, VLANs, or some other tagging technology to create segments. Essentially it relies on controlling network devices such as switches and firewalls to carve the network up into many segments. From there, policies are configured and enforced using IP constructs or ACLs. It is less granular than the other options but can be complimentary when needing to protect devices that cannot be virtualized or have an agent installed such as IoT devices, medical devices, or industrial control equipment.
While micro-segmentation is the foundation for achieving Zero Trust, it also involves other technologies such as strong identity management and authentication and a change in processes within the organization. But ultimately, Zero Trust is the way forward for security in this modern multi-cloud, multi-device, and highly dynamic modern IT infrastructure.
About the Author
Francis O’Haire is the Group Technology Director at Data Solutions, a company renowned in the IT industry for bringing innovative new technologies to the U.K. and Irish markets. He has been with the company since its inception in 1991 and is responsible for Data Solutions’ product development including the identification and evaluation of new technologies. With over 25 years’ experience in the IT industry, including the virtualization, cloud, security, and data communications fields, O’Haire is a technology evangelist and thrives on finding solutions that address real market needs and deliver a return on investment, increased efficiency and lower cost to the end customer. He is a graduate of DIT Kevin Street and holds numerous vendor qualifications.
CISO MAG did not evaluate/test the products mentioned in this article. The facts, opinions, and language in the article are entirely those expressed by the authors and do not reflect the views of CISO MAG.