Last week Gartner published the Top 10 Technologies for Information Security in 2016. In that list, they include microsegmentation, a term many security professionals are unaware of. This is exciting for me at Drawbridge Networks, since PathProtect is the only technology on the market that provides microsegmentation for the entire enterprise, securing traffic workstation to workstation, workstations to server, and server to server.
To put it simply, microsegmentation is ability to do two things:
- Identify network traffic based on something more than layer 4 information, i.e. user, application, etc.
- Control network traffic using that additional information in a policy driven manner.
The biggest need for this technology is for east/west traffic, i.e. not traversing a firewall, router, and/or switch.
First, some history
When TCP/IP and ethernet was gaining a foothold as being the networking platform of choice over token ring and others, it was easy to map OSI layers to devices (need an OSI refresher?). Hubs were layer 1, switches were layer 2, routers were layer 3, and firewalls were layer 4. If you wanted to divide a network into two IP segments, you used a router. If you wanted to segment your network by port, you used a firewall. If you wanted to move a computer from one network segment to another, you walked down to the communication closet, and moved the cable from one switch to another.
Then enters the Virtual Local Area Network (VLAN) in the 90s. Broadcast storms were a real pain and segmenting with routers was cost limiting. VLANs were a solution to this broadcast problem, but the new flexibility and ease of being able to segment on the fly became quite popular. This popularity bred multifunction network devices such as layer 3 switches.
By the late 90s, we had cost effective switches with routing capabilities. The security capabilities of these multifunction devices increased to include Access Control Lists (ACLs), Private VLANs, etc. Creating network segments was no longer bounded by cost. Routers also started expanding past layer 3 to be able to do port based ACLs. As we entered into the 2000s, stateful firewalls were also being built into single multifunction devices.
All of this was a great advancement for security, but even today many enterprises are still stuck segmenting at OSI layer 4 and below with just IP and port. Essentially, all network architecture and segmentation schemes are built with this limitation as a core design principle. Security innovation continued but instead of advancing segmentation techniques, network security vendors seemed to change focus their focus to layer 7 inspection and building “appliances”. Unfortunately, you cannot have an appliance everywhere in your network.
Beyond Layer 4 – How to Get Microsegmentation
There are many shortcomings to only using IP and port as way to segment your network for security. The primary tool used by most today, VLANs, was never built with security in mind, only to reduce broadcast traffic. ACLs help control traffic, but most enterprises have decades old ACLs that are costly to manage. Attackers are able to move around from endpoint to workstation with impunity. We have to control the east/west traffic flow to effectively secure our networks.
Here are the current technologies that enable microsegmentation:
NETWORK FUNCTION VIRTUALIZATION
As the popularity of OS virtualization developed, hardware based networking devices were a limiting factor in the flexibility and scalability virtualization had to offer. From that need sprung Network Function Virtualization or NFV.
NVF is a new label on what has been developing for the last 10-15 years, which is building software that provides the same functionality as networking devices. In 2012 the European Telecommunications Standards Institute (ETSI) dedicated a group to start producing standards for NFV.
Because of the flexibility a virtual networking device can offer, microsegmentation has been added to that list of capabilities. The most prominent method is to “tag” traffic with a proprietary tag. Then other NVF devices from that vendor can respond to that tag to control the network traffic according to a policy.
Note: ETSI has not published a standard or draft for microsegmentation , so each NVF vendor will have implementation differences.
SOFTWARE DEFINED NETWORKING
Paralleling the development of NVF was a movement to get beyond centralized network orchestration and have true centralized management with a programmatic interface. A new concept emerged: separating the control plane, the basic switching/routing functions, from the management plane. This separation of these logical functions is what is known by Software Defined Networking (SDN) today.
As the last decade was coming to a close, SDN gained its footing. 2011 saw the founding of the Open Networking Foundation and the first release of OpenFlow. This standard has paved the way to make multiplatform SDN a reality. That hasn’t stopped some big vendors from creating their own “standard”, like Cisco’s Open Network Environment.
SDN has a lot of promise, including the ability to perform microsegmentation in a similar manner as the NVF implementations. However, SDN is not an easy thing to implement. The value that it brings makes it worth the cost if you are a cloud or data center provider. For most enterprises, the cost of implementation far outweighs the benefits.
NFV and SDN are promising technologies and are currently reshaping data centers. However, attackers often target endpoint workstations as an initial point of compromise. Spear phishing emails with malicious links and attachments are used to gain a foothold, and then attackers move laterally from workstation to workstation in search of valuable hosts such as those used by DBAs or IT Systems Administrators.
Microsegmentation of endpoint workstations might prevent those infections from spreading laterally, but there are definitive shortcomings when microsegmentation is implemented in the network using technologies like SDN. There are certain things that you cannot see from the network, like what process sent that network traffic? What user started that process?
PathProtect takes a different approach. Instead of trying to reengineer your entire network, PathProtect uses endpoint agents to understand the context of the network data. These endpoint agents are easy to deploy, and provide information about all of the lateral communications going on in the network as well as the process and user context associated with them. Then, using a policy based engine, PathProtect can control who can do what, performing enforcement at each endpoint. This way, PathProtect decouples the network policy from the physical architecture of the network itself, allowing for instant reconfiguration of segments on the fly.
PathProtect uses mutual endpoint authorization to ensure that the client sending the traffic is authorized to do so and that the server is authorized to accept the traffic. This can provide your enterprise with a default-deny posture. If an attacker were to walk into your office and plug in his own laptop, no workstation or server would respond.
Just like a drawbridge, both sides must be open to allow traffic to pass.
Gartner has brought to light the new security concept of microsegmentation and highlighted its importance. There’s no need to invest in network rearchitecture to start controlling your east/west traffic. For a fraction of the time, and a fraction of the price, you can implement microsegmentation today.