Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Create and Manage a Micro-Segmented Data Center – Best Practices


Published on

What links the Antwerp Diamond Heist, one of the world’s largest jewelry thefts and data center security? The famous heist was possible because there was no security within the safe deposit vault, enabling the criminals to stay inside undetected for days and steal items worth $100M.
Similarly, to help prevent serious breaches, data center networks must be internally segmented to stop hackers moving freely inside the network and exfiltrating data – but network segmentation must be designed and managed correctly if it’s to be successful. This webinar will examine how to create and manage a micro-segmented data center environment that truly protects your organization’s valuables.
In this webinar, Avivi-Siman-Tov, Product Manager at AlgoSec will cover:
• How to securely migrate applications to a micro-segmented data center
• Identifying and avoiding common network segmentation pitfalls
• Defining and enforcing effective security policies for the micro-segmented data center
• Managing micro-segmented data centers alongside traditional networks and devices
• Identifying and managing security risk and compliance in a micro-segmented data center

Published in: Software
  • Be the first to comment

Create and Manage a Micro-Segmented Data Center – Best Practices

  2. 2. Welcome Have a question? Submit it via the chat This webinar is being recorded! Slides and recording will be sent to you after the webinar
  3. 3. THE BASICS
  4. 4. LEGACY DATA CENTER ARCHITECTURE Users Servers Outside World, Business partners Perimeter Firewall East-West traffic North-South traffic
  5. 5. WHY THIS IS RISKY • No filtering capabilities controlling east-west traffic • Allows unrestricted traffic • Between internal users’ desktop/laptops and servers • Between servers in different segments ONCE ATTACKERS GAIN A FOOTHOLD – FREE LATERAL MOVEMENT
  6. 6. SEGMENTED DATA CENTER ARCHITECTURE Users Zone Server Zone 2 Outside World, Business partners, Perimeter Firewall Server Zone 1 East-West traffic North-South traffic
  7. 7. SEGMENTED  MORE SECURE • Introduce filtering choke-points between zones • Allows control of east-west traffic • Lets organizations restrict lateral movement between zones • How can we make this a reality?
  9. 9. CHALLENGE #1: INTRODUCING CHOKE POINTS A major effort involving: • Hardware • Cabling • Reconfigure switching and routing TRADITIONAL DATA CENTER • Built-in firewalls as part of the infrastructure • No extra hardware needed VIRTUALIZED NETWORK / SDN
  10. 10. Challenge #2: Zoning • How many zones to define? • Which subnets should reside in each zone?
  11. 11. A ZONING TRADE-OFF Better Security Micro- segmentation Define many small zones Maintenance - Define the right policy N zones  N*N traffic directions
  12. 12. CHALLENGE #3: FILTERING POLICY BETWEEN ZONES • Traffic between zones must be explicitly allowed by policy • No critical business traffic will be blocked by accident • Challenge: discover and characterize this traffic Did you know: VMware NSX’s default policy is “allow all”
  14. 14. The business-application perspective • East-West traffic is generated by business applications • Each business application has: • Servers supporting it • Clients accessing it • Business application connectivity requirements: • Server-to-server traffic flows • Client-to-server traffic flows
  15. 15. § Segmentation for business applications Human-accessible systems Application Servers Infrastructure servers
  16. 16. DISCOVE R SELECT ASSIGN CREATE Planning network segmentation: blueprint
  17. 17. Is your organization disciplined? Yes if: • All applications are documented • Applications’ connectivity requirements are documented • Documentation is machine readable Then “discovery” is easy! What if documentation is missing / outdated ?
  18. 18. Discovery from traffic NetFlow / sFlow • Routers • VMWare virtual switch • NetFlow statistics broker Full capture traffic • Switches • Network TAP devices • Packet broker Summarize Analyze Correlate
  19. 19. Import into BusinessFlow 20
  20. 20. 21
  21. 21. 22
  22. 22. Document the connectivity matrix
  23. 23. Connectivity Spreadsheet
  24. 24. 27
  25. 25. 28
  26. 26. Maintaining the segmentation Zoning remains stable over time but: • application connectivity requirements evolve • filtering policies need to change over time • Application-aware and change V management processes • Visibility filtering policies comply with zoning
  27. 27. Change management processes • Hybrid network: • Software-defined data center • traditional networking outside data center • Application connectivity is also north-south GOAL: SINGLE CHANGE WORKFLOW FOR ALL FILTERING TECHNOLOGIES
  28. 28. • Identical for North-South and East- West • Indifferent to network technology • Abstracts away filtering device details
  29. 29. • Outside data center (traditional)
  30. 30. • Inside data center (virtualized)
  31. 31. REMEMBER Focusing your security on outsider threats isn’t enough
  32. 32. Plan • Discover • Design • Document Maintain • Visibility • Segmentation-aware change processes
  33. 33. What are your plans for filtering east-west traffic? • Already implemented • Planning to implement over the next 6 months • Planning to implement over the next 6-12 months • No plans POLL Please vote using the “votes from audience” tab in your BrightTALK panel 37
  35. 35. July 24 Network security at the speed of DevOps By: Anner Kushnir, VP Technology Aug 7 Network Security Policy Changes – Quickly & Safely By: Asher Benbenisty, Director of Product Marketing
  36. 36. Q & A
  37. 37. THANK YOU! Questions can be emailed to