Micro-segmentation allows you to create a “Zero Trust” security zone around a specific set of resources. At its heart Micro-segmentation is a per server firewall. It denies all traffic unless there is an explicit allow. To communicate you must place systems in groups that are allowed to communicate by specifically defined ports. You can define these groups by workload, systems, or even applications.
“How is this different than a regular firewall?”. Traditionally Firewalls at built to protect the North/South traffic. This goes back to the concept of building a bigger fortress. In the past companies believed that by having a big enough firewall they would be protected from attackers. With the rise of Malware, Spyware, Botnets, Phishing, and even sophisticated Viruses. The traditional N/S firewall approach falls short (just look at Sony, Target, Home Depot etc). Companies are now looking to enhance their security by protecting East/West traffic. Micro-segmentation protects a company once and attacker gets inside the network. One example, previously if an attacker was on a subnet or vlan, they would be able to connect to all end points on that segment. Now that attacker can only connect to explicitly defined resources on explicitly defined ports. This is a significant reduction in the overall risk.
Micro-Segmentation can be easier to manage because you don’t have a centralized firewall. Some customers can have thousands of lines of rules. This extensive number of firewall rules can be difficult to troubleshoot. Worse trying to use a North/South firewall to secure every packet would require massive firewalls. Every firewall is sized (or should be sized) for a number of concurrent connections. As we increase those connections the free available headroom on the firewall is reduced. If we enable “Next Generation Firewall” services (AKA UTM) that check for Malware, Spyware, Botnet, Antivirus, Web filter, and even Netflow, now we have even less headroom. The end result could be replacing your firewalls or increasing your complexity.
Companies looking to implement Micro-segmentation must know every port on every resource to build an application or resource profile. This is a non-trivial task given the extensive interdependencies especially around SOA applications. This means companies must spend time mapping out their applications and dependencies.
There are some resources out there to help you with this planning. River Bed has a great dependency mapping tool which has a free evaluation version. http://www.riverbed.com/products/performance-management-control/application-performance-management/dependency-mapping.html
VMware’s Application Discovery Manager is being rebranded to vCenter Infrastructure Navigator. Your VMware Partner should be able to help you here. http://www.vmware.com/products/application-discovery-manager/overview
Robert Illing is a Field Solution Executive focused on helping organizations modernize their Data Centers.