Network segmentation has long been used to separate networks into subnetworks, or segments, in order to improve performance and security. With the increased use of virtualization, software-defined networking, and software-defined data center technology, network segmentation has been taken a step further, and micro-segmentation has emerged.
What Is Micro-segmentation?
Network segmentation is achieved through firewall and VLAN configuration that divides the network into segments. Each segment is secured through a set of rules or policies. This allows network administrators to control the access privileges of applications, people and servers. There are also usually policies in place that prohibit traffic from moving from one segment to another. Using network segmentation, you can restrict access to sensitive data to an as-needed basis.
Micro-segmentation takes this to the next level. With virtualization, software-defined networking, and network analytics tools, you can implement policy-based security at a granular level. For IT teams that are trying to improve the security of their network, micro-segmentation gives them control down to the individual workload.
How Micro-segmentation Can Improve Network Security
Because micro-segmentation works at a granular level, it allows network administrators to customize security controls for each micro-segment. Doing this reduces the attack surface because the policies that manage each micro-segment (and policies that prevent cross-segment traffic) keep the attack within the segment. This prevents the spread of malware or attacks from impacting the larger network.
Keeping the attack within a micro-segment can lead to faster and simpler incident response or, in the event of a breach, simplify forensics and attack tracing.
What You Should Know Before Implementing Micro-segmentation
While the security benefits are clear, there are some things you should think about before you implement micro-segmentation.
- It Is Complex
- Gaining Visibility Is Key
- Choosing the Right Model
Micro-segmentation Is Complex
Because of its granular nature, micro-segmentation is complex, and it can be complicated to plan. It must be carefully considered and implemented. If policies are too fine-grained or over-segmented, then application and network performance might suffer, and it could be a headache to manage. If segments are too large, then the large attack surface could leave your network vulnerable.
Proper planning and implementation are essential for successful micro-segmentation.
Gaining Visibility is Key
You can’t secure what you can’t see. To set up effective network micro-segments, you need to understand your network architecture down to the lowest levels. This includes:
- Understanding traffic flow and communication patterns to, from and within the network
- Identifying servers with similar roles or shared responsibilities
- Identifying other process-level information and key relationships
Luckily there are tools to help. Trying to map a complicated network is nearly impossible to do manually. However, there are network analytics tools and graphic visualization tools that can map and display your network. Network models can be used to highlight important relationships and help identify network elements and workloads that may pose problems.
Choosing a Model
Once you have gained visibility into the inner workings of your network, you can begin to organize servers, applications, and other business functions traffic into groups. You will also need to choose the micro-segmentation model that will best suit your needs.
While there is no wrong way to implement network micro-segmentation, there are two models that are generally followed — network-centric or application-centric. Depending on your network or your development model, one may be a better fit than the other. So, what are the two models?
The network-centric model uses hypervisor-based firewalls or defined security groups and is commonly used in cloud environments. Traffic is controlled by network choke points or third-party controls. Or, it can be controlled by enforcing rules onto each workload, using the existing network enforcement.
The application-centric model uses agent-based distributed firewalls and deploys agents onto each workload. Agents follow the workload as it moves between different environments. This model works with varied infrastructures or any operational environment — and offers visibility down to Layer 7! It does not use choke points, which makes it easily scalable, and is consistent across technologies, making it a better choice for complex networks or hybrid cloud environments. Also, it reduces the need for manual intervention as it uses automation and autoscaling to streamline provisioning and workload management.
The application-centric model can also improve security more than the network-centric model. Policies can be defined at a more granular level, further reducing the attack surface of each network micro-segment.
Adopting a Zero Trust Mindset
When you have chosen a model and defined groups and the security permissions needed for each group, you can start to test and define the security policies. Your network analytics tools can be used to determine the policies and security rules for each micro-segment. For micro-segmentation to be effective, denial of access should be the default. Zero Trust literally means “trust no one,” and your security policies should be set up with that mindset. The only access that users, applications, and processes should have is what is needed to do their jobs.
Your network analytics tools can be used to determine and refine the policies and security rules for each micro-segment. Whitelisting can also be useful.
Implementation isn’t the end. You should also regularly review your network and micro-segmentation policies. Refine your rules and security policies as your network grows or as traffic patterns or application needs change.