HOW TO MIGRATE AND MANAGE SECURITY POLICIES IN A SEGMENTED DATA CENTER

• Migrate applications to a micro-segmented data center

• Define and enforce security policies for East-West traffic

• Manage micro-segmented data center alongside traditional devices

• Identify risk and manage compliance

TOPICS COVERED

THE BASICS

LEGACY DATA CENTER ARCHITECTURE

Users Servers

Outside World,

Business partners,

Perimeter

Firewall

East-West traffic North-South traffic

4

WHY THIS IS RISKY

• No filtering capabilities controlling east-west traffic

• Allows unrestricted traffic:• Between internal users’ desktops/laptops and servers

• Between servers in different segments

• Once attackers gain a foothold – free lateral movement

5

SEGMENTED DATA CENTER ARCHITECTURE

Users

Zone

Server

Zone 2 Outside World,

Business partners,

Perimeter

FirewallServer

Zone 1

6

SEGMENTED = MORE SECURE

• Introduce filtering choke-points between zones

• Allows control of east-west traffic

• Lets organizations restrict lateral movement between zones

• How can we make this a reality?

7

POLL

Which platform do you use to manage your private cloud / virtualized data center?

• VMware

• Microsoft Hyper-V

• OpenStack

• We don't have a virtualized data center

SEGMENTATION CHALLENGES

CHALLENGE #1: INTRODUCING CHOKE POINTS

• In traditional data center: a major effort• Hardware, cabling, reconfigure switching and routing

• In a virtualized, software-defined, data center:• Built-in firewalls as part of the infrastructure

• No extra hardware needed

• Software-Defined Networking

10

CHALLENGE #2: ZONING

• How many zones to define?

• Which subnets should reside in each zone?

11

A ZONING TRADE-OFF

• Traffic inside each zone remains unrestricted• For better security, define many small zones

• “Micro-segmentation”

• But: need policy (rules) between every pair of zones • “Allow service X from zone 1 to zone 2”

• N zones ==> N*N traffic directions

• For better manageability, define a few large zones

12

CHALLENGE #3: FILTERING POLICY BETWEEN ZONES

• Traffic inside each zone is unfiltered: allowed

• … traffic between zones must be explicitly allowed by policy

• Goal: write policy to allow legitimate zone-crossing traffic

• Challenge: discover and characterize this traffic

• Did you know: VMware NSX’s default policy is “allow all” • Works around the challenge• … But is completely insecure

13

APPLICATION-AWARE SEGMENTATION

THE BUSINESS-APPLICATION PERSPECTIVE

• East-West traffic is generated by business applications

• Each business application has:• Servers supporting it

• Clients accessing it

• Business application connectivity requirements:• Server-to-server traffic flows

• Client-to-server traffic flows

15

SEGMENTATION FOR BUSINESS APPLICATIONS

• Human-accessible systems: in a separate zone from servers:• Desktops / Laptops / Smartphones

• Servers of an application, that communicate with each other:• in same zone

• Infrastructure servers, that support multiple applications: • in a dedicated zone

16

PLANNING NETWORK SEGMENTATION: BLUEPRINT

• Discover business applications’ connectivity requirements

• Select number of zones, and their characterization

• Based on applications’ flows, assign subnets to zones

• Write filtering policy (rules) allowing zone-crossing flows• Avoid breaking business applications’ connectivity

17

DISCOVERY

IS YOUR ORGANIZATION WELL-DISCIPLINED?

If:

• All applications are documented

• Applications’ connectivity requirements are documented

• Documentation is machine readable

Then “discovery” is easy!

• What if documentation is missing / outdated ?

19

DISCOVERY FROM TRAFFIC

20

DISCOVERY RESULTS: ANALYTICS ON SNIFFED TRAFFIC

2121

ZONE-CROSSING TRAFFIC: HIGH LEVEL POLICY

DOCUMENT: THE CONNECTIVITY MATRIX

Allowed traffic between every pair of zones

2323

ZOOM IN: FROM/TO THE PEER DMZ

24

DEMONSTRATION OF MICRO-SEGMENTATION WITH THE ALGOSEC SUITE

IMPORT INTO BUSINESSFLOW

2626

2727

2828

29

30

31

VISIBILITY

33

34

Enforcing Micro Segmentation

35

Confidential 37

MAINTENANCE OF THE SEGMENTATION

MAINTENANCE OF THE SEGMENTATION

• Zoning remains stable over time

• … but application connectivity requirements evolve

• … so filtering policies need to change over time

• Need application-aware and segmentation-aware change management process

• Need visibility that filtering policies comply with zoning

39

CONNECTIVITY SPREADSHEET

41

4242

SEGMENTATION-AWARE CHANGE PROCESS

NORTH-SOUTH TRAFFIC

• Hybrid network: • Software-defined data center

• traditional networking outside data center

• Application connectivity is also north-south

• Goal: Single change workflow for all filtering technologies

44

• Identical for North-South and East-West• Indifferent to network technology• Abstracts away filtering device details

45

• Outside data center (traditional)

46

• Inside data center (virtualized)

47

48

• AlgoSec Standard risks +• User-defined risks +• Connectivity spreadsheet violations

• What-if risk check, before changes are implemented

49

POLL

What are your plans for filtering East-West traffic?

• Already implemented

• Planning to implement over the next 6 months

• Planning to implement over the next 6-12 months

• No plans

SUMMARY

Plan

• Discover business applications’ connectivity requirements

• Design zoning, write policy for zone-crossing flows

• Document in connectivity matrix

Maintain

• Visibility, automated comparison to connectivity matrix

• Segmentation-aware change process

51

MORE RESOURCES

52

Meet us at VMworld – booth 658 !

THANK YOU