migrating and managing security policies in a segmented data center
TRANSCRIPT
MIGRATING & MANAGING SECURITY POLICIES IN A SEGMENTED DATA CENTER
AVISHAI WOOL, CTO
TOPICS COVERED
Defining and enforce security policies for East-West traffic
Managing micro-segmented data center alongside traditional devices
01
02
03
Migrating applications to a micro-segmented data center
Identify risk and manage compliance04
Q&A and Summary05
2
THE BASICS
3
LEGACY DATA CENTER ARCHITECTURE
Users Servers
Outside World,
Business partners,
Perimeter
Firewall
East-West traffic North-South traffic
4
WHY THIS IS RISKY
• No filtering capabilities controlling east-west traffic
• Allows unrestricted traffic:• Between internal users’ desktops/laptops and servers
• Between servers in different segments
• Once attackers gain a foothold – free lateral movement
5
SEGMENTED DATA CENTER ARCHITECTURE
Users
Zone
Server
Zone 2 Outside World,
Business partners,
Perimeter
FirewallServer
Zone 1
6
SEGMENTED = MORE SECURE
• Introduce filtering choke-points between zones
• Allows control of east-west traffic
• Lets organizations restrict lateral movement between zones
• How can we make this a reality?
7
Which Platform Do You Use To Manage Your Private Cloud / Virtualized Data Center?• Vmware NSX• Cisco ACI• Microsoft Hyper-V• Other• We Don't Have A Virtualized Data Center
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
8
SEGMENTATION CHALLENGES
9
CHALLENGE #1: INTRODUCING CHOKE POINTS
• In the traditional data center: a major effort• Hardware, cabling, reconfigure switching and routing
• In a virtualized, software-defined, data center:• Built-in firewalls as part of the infrastructure
• No extra hardware needed
• Software-Defined Networking ✓
10
CHALLENGE #2: ZONING
• How many zones to define?
• Which subnets should reside in each zone?
11
A ZONING TRADE-OFF
• Traffic inside each zone remains unrestricted• For better security, define many small zones
• “Micro-segmentation”
• But: need policy (rules) between every pair of zones • “Allow service X from zone 1 to zone 2”
• N zones ==> N*N traffic directions
• For better manageability, define a few large zones
12
CHALLENGE #3: FILTERING POLICY BETWEEN ZONES
• Traffic inside each zone is unfiltered: allowed
• … traffic between zones must be explicitly allowed by policy
• Goal: write policy to allow legitimate zone-crossing traffic
• Challenge: discover and characterize this traffic
• Did you know: VMware NSX’s default policy is “allow all” • Works around the challenge• … But is completely insecure
✓
13
APPLICATION-AWARE SEGMENTATION
14
THE BUSINESS-APPLICATION PERSPECTIVE
• East-West traffic is generated by business applications
• Each business application has:• Servers supporting it
• Clients accessing it
• Business application connectivity requirements:• Server-to-server traffic flows
• Client-to-server traffic flows
15
SEGMENTATION FOR BUSINESS APPLICATIONS
• Human-accessible systems: in a separate zone from servers:• Desktops / Laptops / Smartphones
• Servers belonging to an application, that communicate with each other:• in same zone
• Infrastructure servers, that support multiple applications: • in a dedicated zone
16
PLANNING NETWORK SEGMENTATION: BLUEPRINT
• Discover business applications’ connectivity requirements
• Select number of zones, and their characterization
• Based on applications’ flows, assign subnets to zones
• Write filtering policy (rules) allowing zone-crossing flows• Avoid breaking business applications’ connectivity
17
DISCOVERY
18
IS YOUR ORGANIZATION WELL-DISCIPLINED?
If:
• All applications are documented
• Applications’ connectivity requirements are documented
• Documentation is machine readable
Then “discovery” is easy!
• What if documentation is missing / outdated ?
✓✓✓
19
DISCOVERY FROM TRAFFIC
20
DISCOVERY RESULTS: ANALYTICS ON SNIFFED TRAFFIC
2121
ZONE-CROSSING TRAFFIC: HIGH LEVEL POLICY
22
DOCUMENT: THE CONNECTIVITY MATRIX
Allowed traffic between every pair of zones
2323
ZOOM IN: FROM/TO THE PEER DMZ
24
DEMONSTRATION OF MICRO-SEGMENTATION WITH ALGOSEC
25
IMPORT INTO BUSINESSFLOW
2626
2727
2828
29
30
31
VISIBILITY
32
33
34
Enforcing Micro Segmentation
35
36
3737
MAINTENANCE OF THE SEGMENTATION
38
MAINTENANCE OF THE SEGMENTATION
• Zoning remains stable over time
• … but application connectivity requirements evolve
• … so filtering policies need to change over time
• Need application-aware and segmentation-aware change management processes
• Need visibility that filtering policies comply with zoning
39
40
CONNECTIVITY SPREADSHEET
41
4242
SEGMENTATION-AWARE CHANGE PROCESS
43
NORTH-SOUTH TRAFFIC
• Hybrid network: • Software-defined data center
• traditional networking outside data center
• Application connectivity is also north-south
• Goal: Single change workflow for all filtering technologies
44
• Identical for North-South and East-West• Indifferent to network technology• Abstracts away filtering device details
45
• Outside data center (traditional)
46
• Inside data center (virtualized)
47
48
• AlgoSec Standard risks +• User-defined risks +• Connectivity spreadsheet violations
• What-if risk check, before changes are implemented
49
What are your plans for filtering east-west traffic?• Already implemented• Planning to implement over the next 6 months• Planning to implement over the next 6-12
months• No plans
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
50
SUMMARY
Plan
• Discover business applications’ connectivity requirements
• Design zoning, write policy for zone-crossing flows
• Document in connectivity matrix
Maintain
• Visibility, automated comparison to connectivity matrix
• Segmentation-aware change process
51
MORE RESOURCES
www.algosec.com/resources
WHITEPAPERS
Prof Wool CoursesDATASHEET
52
THANK YOU!
Questions can be emailed to [email protected]