As more and more companies place their digital assets and software platforms in the cloud, data centers – the keepers of the cloud – are becoming targets of interest for the dark side. For the bad guys, what’s not to like? Rather than grabbing bits and pieces scattered across the internet, digital thieves can one-stop shop.
There’s something else that has bad guys excited. Data center traffic is increasing east-west (server to server). Munawar Hossain, Cisco director of product management security writes: “Cisco’s Global Cloud Index tells us that, unlike in campus networks, the dominant volume of traffic in the data center traverses in an east-west direction (76 percent), followed by north-south traffic (17 percent), and inter-DC traffic at seven percent.”
Open doors?
Opening up traffic lanes between servers inside the data center, which up until now have been siloed, is a golden opportunity for attackers. “Modern attacks exploit perimeter-only defenses, hitching a ride with authorized users, then move laterally within the data center perimeter from workload to workload, with little or no controls to block their propagation,” according to a VMware white paper on data center micro-segmentation. “Many of the recent public breaches have exemplified this – starting with spear-phishing or social engineering – leading to malware, vulnerability exploits, command and control, and unfettered lateral movement within the data center until the attackers find what they are looking for.”
Needless to say, data center operators are looking for new ways to beef up security. One such approach, according to Hossain, is “hair-pinning,” where internal traffic is routed out of the data center for inspection by perimeter security devices and then forwarded on to its original destination inside the data center.
If that sounds complicated and fraught with issues, networking experts agree. VMware and others suggest a better solution is something called micro-segmentation. Put simply, micro-segmentation divides a data center’s network into smaller protection zones. “Instead of a single, hardened perimeter defense with free traffic flow inside the perimeter, a micro-segmented data center has security services provisioned at the perimeter, between application tiers and between devices within tiers,” says Cisco’s report, Data Center Micro-Segmentation: Enhance Security for Data Center Traffic. “The theory is, even if one machine is compromised, the breach will be contained to a smaller fault domain.”
Micro-segmentation divides a data center’s network into smaller protection zones
But there are other pluses besides isolation and breach containment. In an eWEEK slideshow about micro-segmentation, editor Chris Preimesberger argues for the superiority of the practise, listing some additional deterrents.
- Manageable white lists:
Denying all communications unless explicitly allowed is not new. What micro-segmentation does is make it manageable by integrating application and network services. - Application-aware security:
In micro-segmentation, security policy groups are not based on IP addresses or domain subnets. “Policies are enforced at the virtual machines or containers hosting the application tiers,” writes Preimesberger. “Workloads and data access are secured at the source as an application-centric security model.” - Centralized provisioning:
Micro-segmentation, properly done, consolidates management of membership in security groups. Centralized provisioning of security policies such as firewall rules enables them to follow virtual machines from host to host, with the new instances automatically inheriting appropriate security group membership and security policies. “If a particular virtual machine gets deleted, the firewall rules associated with that VM get deleted as well,” continues Preimesberger. “This, in turn, ensures the firewall rule base is kept up to date and uncluttered with unused, unwanted rules and updates….”
This allows data center operators to get ahead of hackers by eliminating vulnerabilities and enacting preventative measures. - Access control:
As the name implies, micro-segmentation can silo apps. Isolating individual apps and or data warehouses enable strict access control, which will reduce insider attacks. - Breach recovery:
Micro-segmentation, teamed up with a DCIM platform, will reduce negative fallout if a data breach occurs. “Micro-segmentation enables the data center to be far more agile, with the ability to identify the breach almost immediately, and to contain it within a narrow fault domain,” writes Preimesberger. “At the same time, its multiple layers of security help to slow the attack’s spread, and enable operators to lock down the hackers and secure uncompromised data.”
Companies have different philosophies on how to implement micro-segmentation. However, Geoff Huang, director of product management for VMware, suggests that whatever version is put into play, it must have the following attributes: - Persistence:
Despite a constantly changing environment, security must be consistent. This is especially important with software-defined networks coming into their own. “Micro-segmentation gives administrators more useful ways to describe the workload,” writes Huang in Three Requirements for True Micro-Segmentation. “Administrators can describe the inherent characteristics of the workload, tying this information back to the security policy.” - Ubiquity:
All too often, due to cost considerations, security is doled out according to a static priority list. Huang notes this is something attackers love to see. Fortunately, micro-segmentation embeds security into the data center infrastructure, which means security functions can be applied to all workloads, eliminating the need to set priorities. - Extensibility:
Let’s face it, digital bad guys are adept at changing their plan of attack if the need arises, meaning that in order to work, security must be that flexible, if not more so. “As an example, based on the detection of malware, an anti-virus system coordinates with the network to mirror traffic to an IPS, which in turn scans for anomalous traffic,” explains Huang. “The extensibility of micro-segmentation enables this dynamic capability. Without it, the security administrator would have to pre-configure a different static chain of services up-front, each one corresponding to a different possible security scenario.”
The whole concept of micro-segmentation is only possible because of software-defined technologies, which allow ultimate network flexibility. Combined, the two provide centralized control of data center east-west traffic, improve security using multiple layers of isolation and, in the long run, save money. So it seems the good guys get to ask: “What’s not to like?”
This article appeared in the March issue of DatacenterDynamics magazine