Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 02-20 micro-segmentation based network security strategies (yoni geva)

396 views

Published on

As cyber threats become more sophisticated, companies of all sizes are struggling to stay secure. Regardless of how many different firewalls you use, it’s merely a matter of time until a threat gets through. To prevent serious breaches, networks must be internally segmented to stop hackers moving freely inside the network and exfiltrating data – but network segmentation must be designed and managed correctly if it’s to be successful. This webinar will examine how to build a micro-segmentation strategy that truly protect your organization’s valuables.

In this webinar, Yoni Geva, Product Manager at AlgoSec will cover:

• Segmentation challenges
• Micro-segmentation explained
• Micro-segmentation strategy benefits
• Micro-segmentation strategy development – first steps
• Implementation Do’s and Don’ts

Published in: Technology
  • Be the first to comment

2019 02-20 micro-segmentation based network security strategies (yoni geva)

  1. 1. Micro-Segmentation Strategies The benefits, challenges and how to get it done Yoni Geva Product Manager
  2. 2. WELCOME Have a question? Submit it via the chat tab or email us: This webinar is being recorded! The recording will be emailed to you after the webinar And the slides will be available in the Attachments tab Follow us online ! 2 marketing@algosec.com
  3. 3. POLL #1: What are your plans for building a micro- segmentation strategy? • Already in place • Planning to implement this year • Planning to implement over the next 2 years 3 • No plans Please vote using the “Votes“ tab
  4. 4. AGENDA: MICRO-SEGMENTATION Background & today’s risks Why Micro-segmentation is part of the answer The challenges you may face Building, implementing and maintaining a Micro-segmentation strategy 01 02 03 04
  5. 5. THE BASICS
  6. 6. LEGACY DATA CENTER ARCHITECTURE Users Servers Outside World, Business partners Perimeter Firewall East-West traffic North-South traffic
  7. 7. • No filtering capabilities controlling east-west traffic • Allows unrestricted traffic • Between internal users’ desktop/laptops and servers • Between servers in different segments ONCE ATTACKERS GAIN A FOOTHOLD – FREE LATERAL MOVEMENT WHY THIS IS RISKY
  8. 8. SEGMENTED DATA CENTER ARCHITECTURE Users Zone Server Zone 2 Outside World, Business partners, Perimeter Firewall Server Zone 1 East-West traffic North-South traffic
  9. 9. • Introduce filtering choke-points between zones • Allows control of east-west traffic • Lets organizations restrict lateral movement between zones • How can we make this a reality? SEGMENTED  MORE SECURE
  10. 10. SEGMENTATION CHALLENGES
  11. 11. CHALLENGE #1: INTRODUCING CHOKE POINTS A major effort involving: • Hardware • Cabling • Reconfigure switching and routing • Firewall configuration TRADITIONAL DATA CENTER • Built-in firewalls as part of the infrastructure • No extra hardware needed VIRTUALIZED NETWORK / SDN
  12. 12. CHALLENGE #2: ZONING DEFINITION • How many zones to define? • Which subnets should reside in each zone?
  13. 13. Better Security Micro-segmentation Define many small zones Maintenance - Define the right policy N zones  N*N traffic directions A ZONING TRADE-OFF
  14. 14. CHALLENGE #3: FILTERING POLICY BETWEEN ZONES Did you know? VMware NSX’s default policy is “allow all” • Traffic between zones must be explicitly allowed by policy • No critical business traffic will be blocked by accident • Challenge: discover and characterize this traffic
  15. 15. MICRO- SEGMENTATION IS GETTING COMPLICATED
  16. 16. MICRO-SEGMENTATION IS GETTING COMPLICATED
  17. 17. SEGMENTATION STRATEGIES
  18. 18. MICRO-SEGMENTATION FLOW Security Management Sensitive Assts Processes Running Applications Zoning FW Openings
  19. 19. THE BUSINESS-APPLICATION PERSPECTIVE • East-West traffic is generated by business applications • Each business application has: • Servers supporting it • Clients accessing it • Business application connectivity requirements: • Server-to-server traffic flows • Client-to-server traffic flows
  20. 20. § SEGMENTATION FOR BUSINESS APPLICATIONS Human-accessible Systems Application Servers Infrastructure Servers
  21. 21. POLL #2: Do you have Application Documentation? YES! Application Servers and Flows No Partial I don’t know 01 02 03 04 Please vote using the “Votes“ tab
  22. 22. IS YOUR ORGANIZATION DISCIPLINED? Yes if: • All applications are documented • Applications’ connectivity requirements are documented • Documentation is machine readable Then “discovery” is easy! What if documentation is missing / outdated ?
  23. 23. DISCOVERY FROM TRAFFIC NetFlow / sFlow • Routers • VMWare virtual switch • NetFlow statistics broker Full capture traffic • Switches • Network TAP devices • Packet broker Summarize Analyze Correlate
  24. 24. 27 IMPORT INTO BUSINESSFLOW
  25. 25. 28 28
  26. 26. 29 29
  27. 27. 31
  28. 28. ASSETS/PROCESSES/USERS - PERSPECTIVE • Define your most sensitive assets • Identify processes and relationships between units in the company • Identify user requirements: which data is required by each user
  29. 29. DOCUMENT THE CONNECTIVITY MATRIX
  30. 30. 34 34
  31. 31. MAINTAINING THE SEGMENTATION • Application connectivity requirements evolve • Filtering policies need to change over time • Application-aware and change V management processes • Visibility filtering policies comply with zoning Zoning remains stable over time, however:
  32. 32. CHANGE MANAGEMENT PROCESSES GOAL: SINGLE CHANGE WORKFLOW FOR ALL FILTERING TECHNOLOGIES
  33. 33. 37
  34. 34. 38
  35. 35. 39
  36. 36. MICRO-SEGMENTATION SUMMARY Security Management Sensitive Assts Processes Running Applications Zoning FW Openings
  37. 37. REMEMBER: Focusing your security on external threats is not enough
  38. 38. WHITEPAPER SOLUTION BROCHURE PROF. WOOL VIDEO COURSE https://www.algosec.com/resources PPT
  39. 39. Q & A Submit your questions via the chat Request a Demo: marketing@algosec.com
  40. 40. 44 JOIN OUR COMMUNITY Follow us for the latest on security policy management trends, tips & tricks, best practices, thought leadership, fun stuff, prizes and much more! Subscribe to our YouTube channel for a wide range of educational videos presented by Professor Wool youtube.com/user/AlgoSeclinkedin.com/company/AlgoSec facebook.com/AlgoSec twitter.com/AlgoSec www.AlgoSec.com/blog
  41. 41. ALGOSUMMIT THE PREMIER EVENT FOR ALGOSEC CUSTOMERS AND CHANNEL PARTNERS 45 AlgoSummit APAC Bangkok April 1-5 2019 www.algosec.com/algosummit AlgoSummit EMEA Lisbon May 20-23
  42. 42. THANK YOU! Questions can be emailed to marketing@algosec.com

×