Mitigate IT Security Risks with Micro-Segmentation and Software Defined Networking

Traditionally applications in Data Centers are grouped into various segments or zones based on their functionalities and are placed in different subnets and vlans. Each of these segments are protected by a firewall and the firewall controls the traffic flow between these segments. This approach would require grouping Virtual Machines or servers of similar functionalities from different departments and hosting them on a single segment. 

The challenge with this approach is, within a segment there is no control on traffic flow between the servers or virtual machines.  In case, a single server gets impacted due to security related issue other servers in that segment are at a higher risk due to lack of control on traffic flow within that segment.

The challenge with this approach is, within a segment there is no control on traffic flow between the servers or virtual machines.  In case, a
single server gets impacted due to security related issue other servers in that segment are at a higher risk due to lack of control on traffic flow within that segment.

In such a scenario, Micro-segmentation brings in a great value by creating smaller secure segments within a secure segment and by limiting the security related risks within those micro-segments.

But the challenge is, implementing micro-segmentation on traditional networks is difficult due to lack of agility and not having control on traffic flow within a segment.

So how is Software defined networking different from traditional networks in-terms of enforcing security? How is it helpful to implement micro-segmentation?

Software defined network brings the firewall capabilities close to the virtual machines or servers either onto the vswitch of the hypervisor or onto the switch port connecting the hypervisor host depending on the SDN vendor. They also provide the agility to move the security policies dynamically when the servers or virtual machines move from one physical location to the other. Hence Software defined networks do not require a centralised firewall to control the traffic flow.

In case, advanced layer 4 to layer 7 based firewall capabilities or IPS/IDS based functionalities are required, software defined networks support service insertion to re-direct the desired traffic from the micro-segments through these devices.

This approach helps to create micro-segments within a secure segment.  In spite of the virtual machines or servers being hosted in a single subnet and vlan, since they are placed in different micro-segments the traffic flow between the micro-segments is controlled by security policies.

In case, a server in a micro-segment gets impacted due to security related issue the risk is limited to that micro-segment only and cannot penetrate to other micro-segments. Some SDN vendors also support creating Zero Trust zones to control the traffic flow within a micro-segment, which ensures that the security related issues cannot penetrate to other servers and only the impacted server is at risk.

To summarize,

  • Without micro-segmentation, if one server is impacted due to security related issues all the servers in that segment are at risk.
  • With micro-segmentation, that risk is limited to a smaller set of servers within that micro-segment.
  • In case of non-clustered applications like web servers, by implementing Zero Trust in a micro-segment the IT security related risks are confined to the impacted server only.

In a Data Center, as the number of micro-segments increase, the risks associated with IT Security goes down exponentially.

So what does it the take to implement Micro-Segmentation?

  • Implementing Micro-Segmentation would require capturing and analysing the application traffic flow information.
  • Discovering and Grouping servers or Virtual machines into micro-segments and understanding the security policies required to secure them and to allow the required traffic flow.
  • Generating the policies and configurations required to build these micro-segments and to enforce the required security policies on software defined networks.

There are Netflow based tools that gathers application traffic flow information and aggregates that information. These tools are good at providing information regarding traffic classification and bandwidth utilization. But using these tools for micro-segmentation would require a lot of manual effort since these tools are not designed specifically to support and provide the granular information required for micro-segmentation.

There is a perception that security rules on current firewalls can be used as a reference for building micro-segments. But traditionally, security rules on firewalls were never built to support micro-segmentation and they would not be able to provide the required granular information.

To ensure a smooth migration from traditional networks to Software defined networks and to provide optimal security for the applications hosted on them,  there is a requirement of an analytic platform that can provide end to end solution which includes

  • gathering and analyzing the application traffic flow information
  • discovering the required micro-segments and security policies
  • It should also be able support building these micro-segments and enforcing the security policies by generating the required configurations.

APPanalyz Secure SDN Solution 

APPanalyz Secure SDN provides end to end solution that supports industrial leading SDN providers Cisco and VMware to help their customers migrate from traditional networks to software defined networks and to optimize the security for the applications hosted on their SDN platforms.

APPanalyz Secure SDN gathers the application traffic flow information between various applications on the network, discovers the required Micro-segments and the servers or virtual machines belonging to those micro-segments and identifies the policies required to secure these micro-segments.  It also supports building the micro-segments and enforcing the security policies on Cisco ACI or VMware NSX by generating required configurations.

We appreciate your time and interest. We are passionate about helping you adopt micro-segmentation and mitigate IT security risks on software defined networks, for any further queries or questions please do reach us atenquiry@appanalyz.com .