Monday, November 14, 2016

Rethinking Micro-segmentation

Traditional Security Architectures

Traditional security architectures enforce security policy at rigidly defined trust boundaries. At the most basic level, this is the perimeter of the network. A firewall sits between the untrusted public Internet and the trusted private network. If inbound access from the Internet is required, a DMZ is often created to segment Internet exposed resources from the trusted internal network. A network can be further segmented using additional zones on the perimeter firewall, access-lists on distribution switches, and additional layers of security at various points in the network.

In this traditional model, as security increases, so does configuration complexity, management overhead, and margin for human error. In addition, implicit trust between devices on a network segment is inherent to traditional security architectures. If one device is breached, an attacker can use the compromised device to launch an attack against other devices on the same network segment. Therefore, traditional security architectures are often ill equipped to secure east-west traffic in a modern data center.

What is micro-segmentation?

In two words: Trust nothing. The goal is to eliminate implicit trust and apply security policy between all devices within the purview of the micro-segmentation solution. By using this zero-trust model, micro-segmentation solutions aim to prevent attackers from moving laterally through a network after breaching an initial target.

There are a few fundamentally different approaches to micro-segmentation in the data center. Several current micro-segmentation solutions are built into larger data center orchestration and automation platforms. I'll avoid mentioning specific products, because comparisons often end up like those of vi vs. Emacs or which is the best Linux distribution.

That said, the solutions I am most familiar with enforce security policy in one of two ways:
    • Enforce policy in the network device and/or vSwitch
    • Enforce policy in the hypervisor kernel

Despite where the actual enforcement occurs, at a high level the micro-segmentation functionality itself is comparable. An engineer logs into a controller, defines a security policy, and centrally pushes this security policy to a number of devices in order to restrict traffic between endpoints. These endpoints can be baremetal servers, VMs, containers, or other resources supported by the micro-segmentation platform. The fundamental difference is the point of policy enforcement - hypervisor, vSwitch, or network device.

A different approach

Enter Illumio. I recently attended an Illumio presentation at Networking Field Day 12 and was impressed by their novel approach to micro-segmentation. Like other micro-segmentation solutions, Illumio uses a controller to centrally define and push security policy. The difference is the point of enforcement. Illumio pushes security policy to the endpoint itself. The endpoint then enforces the policy using its own native security functionality. In Linux, this is iptables. In Windows, it's the Windows Filtering Platform.

Illumio calls this their Application Security Platform (ASP). The ASP consists of a Policy Compute Engine (PCE) and Virtual Enforcement Nodes (VEN). The PCE is the controller, or "central brain" where policy is defined. The VEN are the agents installed on the endpoints being secured. Illumio likes to refer to the VEN as "antennas" rather than agents, presumably to illustrate the fact that they're not in the data plane and are used simply to communicate with the PCE. The VEN then instruct the endpoints to do all the heavy lifting leveraging native operating system functionality.

One of the biggest obstacles to implementing micro-segmentation is defining what communication should be permitted between endpoints and turning it into security policy. Illumio aims to solve this challenge by "illuminating" the network. The PCE "brain" gathers data from the VEN "antennas" in order to build a relationship graph, or application dependency map. This relationship graph is then used to intelligently define security policy.

However, even when application dependencies are known, implementing micro-segmentation in brownfield environments is often a major undertaking. Some solutions require new hardware. Others require a homogeneous virtualized environment. Illumio is the first micro-segmentation solution I've encountered that makes a brownfield deployment look easy. It was designed to be a natural fit in diverse environments, including those distributed across public and private clouds.

Illumio was also designed to dynamically adapt to changes in the network. If a new resource comes online, the PCE modifies and pushes a policy accordingly. If an indication of compromise such as a port scan is detected, the PCE can push policy to lock down potential targets. Illumio even has the capability to encrypt traffic between two endpoints leveraging strongSwan in Linux or Microsoft's IPsec platform.

I'm definitely intrigued by Illumio's approach. By focusing on building intelligence into the PCE and simply using the VEN to leverage existing host security capabilities, Illumio seems to have developed an extremely flexible solution that could fit in any environment, whereas other products may require major changes to the environment in order to fit the solution.

You can check out the full Illumio presentation here.

Disclosure: I was a guest at Networking Field Day 12, and my airfare and accommodations were covered by Tech Field Day. Some vendors provided promotional swag such as t-shirts, backpacks, and stickers. However, there is no requirement for me to write about any of the presentations at Networking Field Day 12 or provide positive feedback about the technologies presented in any way. Any blog posts I write about Tech Field Day events I write because I am genuinely interested in the technologies.

1 comment: