Context, Visibility and Containment – NSX Securing “Anywhere” Part V

Welcome to part 5 of the Micro-Segmentation Defined– NSX Securing “Anywhere”  blog series. Previous topics covered in this series includes

• Part I –    Micro-segmentation Defined
• Part II –  Securing Physical Environments
• Part III – Operationalizing Micro-segmentation
• Part IV – Service Insertion

In this post we describe how NSX micro-segmentation enables fundamental changes to security architectures which in turn facilitate the identification of breaches:

• By increasing visibility throughout the SDDC, eliminating all blind spots
• By making it feasible and simple to migrate to a whitelisting / least privileges / zero-trust security model
• By providing rich contextual events and eliminating false positives to SIEMs
• By providing inherent containment even for Zero Day attacks

Threat analysis is the new trend of the security landscape and established vendors as well as startups are proposing many tools to complement the current perimeter logging approach.  The attraction for these tools is based on the assumption that by correlating flows from different sources within a perimeter, threat contexts will emerge and compromised systems will be uncovered.  Currently, these systems go unnoticed for long periods of times because the suspicious traffic moves laterally inside the perimeter and does not traverse a security device: you can’t Continue reading

“Split and smear” your security policies: Static Unidimensional vs. Dynamic Multi-Dimensional Policies

In my previous post I explained why current security architectures aiming at inspecting all inline traffic via hardware appliances are failing to provide proper segmentation and scale in modern day data centers.  As I described, this has nothing to do with the type of security technology being deployed but rather with engineering security services that can answer the requirements of scale, high bandwidth, micro-segmentation and distributed applications.

We have to remind ourselves why we are having these architectural discussions: the application and service landscape has been virtualized, generally in excess of 70%, while entertaining any cloud solution will force you down the path of moving to 100% virtualization.  Yes, there are still physical servers and legacy applications to which we will extend security services to.  But instead of being the norm, we now have to consider their place in the overall architecture as exceptions and design security and networking services around what makes up the bulk of the workloads, i.e. virtualized applications in the form of VMs and containers.

With this understanding, let’s discuss how years of deploying hardware security architectures have boxed us in a complex unidimensional, sequential approach to security policies and how we can now move beyond this implementation scheme with virtualization and the proper software tools. Continue reading

VMware NSX and Split and Smear Micro-Segmentation

While external perimeter protection requirements will most likely command hardware acceleration and support for the foreseeable future, the distributed nature of the services inside the data center calls for a totally different set of specifications.

Some vendors have recently claimed they can achieve micro-segmentation at data center scale while maintaining a hardware architecture. As I described in my recent article in Network Computing, this is unlikely because you have to factor in speed and capacity.

To quickly recap the main points describing the model in the article:

• Our objective is for all security perimeters to have a diameter of one—i.e. deploying one security function for each service or VM in the data center—if we want to granularly apply policies and limit successful attacks from propagating laterally within a perimeter. A larger diameter implies we chose to ignore all inter-service communications within that perimeter.

• This objective is impossible to achieve with our traditional hardware-based perimeters: The service densities and the network speeds found in current data center designs overrun any hardware-based inline inspection models.

• The solution resides in “splitting and smearing” security functions across thousands of servers. This requires an operational model capable of managing large scale distributed functions Continue reading