Post on 13-Jan-2017
transcript
• Migrate applications to a micro-segmented data center
• Define and enforce security policies for East-West traffic
• Manage micro-segmented data center alongside traditional devices
• Identify risk and manage compliance
TOPICS COVERED
LEGACY DATA CENTER ARCHITECTURE
Users Servers
Outside World,
Business partners,
Perimeter
Firewall
East-West traffic North-South traffic
4
WHY THIS IS RISKY
• No filtering capabilities controlling east-west traffic
• Allows unrestricted traffic:• Between internal users’ desktops/laptops and servers
• Between servers in different segments
• Once attackers gain a foothold – free lateral movement
5
SEGMENTED DATA CENTER ARCHITECTURE
Users
Zone
Server
Zone 2 Outside World,
Business partners,
Perimeter
FirewallServer
Zone 1
6
SEGMENTED = MORE SECURE
• Introduce filtering choke-points between zones
• Allows control of east-west traffic
• Lets organizations restrict lateral movement between zones
• How can we make this a reality?
7
POLL
Which platform do you use to manage your private cloud / virtualized data center?
• VMware
• Microsoft Hyper-V
• OpenStack
• We don't have a virtualized data center
CHALLENGE #1: INTRODUCING CHOKE POINTS
• In traditional data center: a major effort• Hardware, cabling, reconfigure switching and routing
• In a virtualized, software-defined, data center:• Built-in firewalls as part of the infrastructure
• No extra hardware needed
• Software-Defined Networking
10
A ZONING TRADE-OFF
• Traffic inside each zone remains unrestricted• For better security, define many small zones
• “Micro-segmentation”
• But: need policy (rules) between every pair of zones • “Allow service X from zone 1 to zone 2”
• N zones ==> N*N traffic directions
• For better manageability, define a few large zones
12
CHALLENGE #3: FILTERING POLICY BETWEEN ZONES
• Traffic inside each zone is unfiltered: allowed
• … traffic between zones must be explicitly allowed by policy
• Goal: write policy to allow legitimate zone-crossing traffic
• Challenge: discover and characterize this traffic
• Did you know: VMware NSX’s default policy is “allow all” • Works around the challenge• … But is completely insecure
13
THE BUSINESS-APPLICATION PERSPECTIVE
• East-West traffic is generated by business applications
• Each business application has:• Servers supporting it
• Clients accessing it
• Business application connectivity requirements:• Server-to-server traffic flows
• Client-to-server traffic flows
15
SEGMENTATION FOR BUSINESS APPLICATIONS
• Human-accessible systems: in a separate zone from servers:• Desktops / Laptops / Smartphones
• Servers of an application, that communicate with each other:• in same zone
• Infrastructure servers, that support multiple applications: • in a dedicated zone
16
PLANNING NETWORK SEGMENTATION: BLUEPRINT
• Discover business applications’ connectivity requirements
• Select number of zones, and their characterization
• Based on applications’ flows, assign subnets to zones
• Write filtering policy (rules) allowing zone-crossing flows• Avoid breaking business applications’ connectivity
17
IS YOUR ORGANIZATION WELL-DISCIPLINED?
If:
• All applications are documented
• Applications’ connectivity requirements are documented
• Documentation is machine readable
Then “discovery” is easy!
• What if documentation is missing / outdated ?
19
MAINTENANCE OF THE SEGMENTATION
• Zoning remains stable over time
• … but application connectivity requirements evolve
• … so filtering policies need to change over time
• Need application-aware and segmentation-aware change management process
• Need visibility that filtering policies comply with zoning
39
NORTH-SOUTH TRAFFIC
• Hybrid network: • Software-defined data center
• traditional networking outside data center
• Application connectivity is also north-south
• Goal: Single change workflow for all filtering technologies
44
• Identical for North-South and East-West• Indifferent to network technology• Abstracts away filtering device details
45
• AlgoSec Standard risks +• User-defined risks +• Connectivity spreadsheet violations
• What-if risk check, before changes are implemented
49
POLL
What are your plans for filtering East-West traffic?
• Already implemented
• Planning to implement over the next 6 months
• Planning to implement over the next 6-12 months
• No plans
SUMMARY
Plan
• Discover business applications’ connectivity requirements
• Design zoning, write policy for zone-crossing flows
• Document in connectivity matrix
Maintain
• Visibility, automated comparison to connectivity matrix
• Segmentation-aware change process
51