Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Migrating and Managing Security Policies in a Segmented Data Center

341 views

Published on

Network segmentation is an effective strategy for protecting access to key data assets, and impeding the lateral movement of threats and cyber criminals inside your data center. With network virtualization, such as VMware NSX and Cisco ACI now a reality it's far simpler to set up granular security policies for east-west traffic within the data center. Yet the added granularity of securities policies creates significant complexity.

Presented by renowned industry expert Professor Avishai Wool, this technical webinar will provide strategies and best practices to help organizations migrate and manage security policies efficiently within a micro-segmented data center.

In this webinar, Prof. Wool will discuss how to:

•Identify and securely migrate legacy applications to a micro-segmented data center
•Effectively define and enforce security policies for East-West traffic
•Manage the micro-segmented data center alongside traditional on-premise security devices
•Identify risk and manage compliance in a micro-segmented data center
•Use network segmentation to reduce the scope of regulatory audits
•Identify and avoid common network segmentation mistakes

Published in: Technology
  • Be the first to comment

Migrating and Managing Security Policies in a Segmented Data Center

  1. 1. MIGRATING & MANAGING SECURITY POLICIES IN A SEGMENTED DATA CENTER AVISHAI WOOL, CTO
  2. 2. TOPICS COVERED Defining and enforce security policies for East-West traffic Managing micro-segmented data center alongside traditional devices 01 02 03 Migrating applications to a micro-segmented data center Identify risk and manage compliance04 Q&A and Summary05 2
  3. 3. THE BASICS 3
  4. 4. LEGACY DATA CENTER ARCHITECTURE Users Servers Outside World, Business partners, Perimeter Firewall East-West traffic North-South traffic 4
  5. 5. WHY THIS IS RISKY • No filtering capabilities controlling east-west traffic • Allows unrestricted traffic: • Between internal users’ desktops/laptops and servers • Between servers in different segments • Once attackers gain a foothold – free lateral movement 5
  6. 6. SEGMENTED DATA CENTER ARCHITECTURE Users Zone Server Zone 2 Outside World, Business partners, Perimeter FirewallServer Zone 1 6
  7. 7. SEGMENTED = MORE SECURE • Introduce filtering choke-points between zones • Allows control of east-west traffic • Lets organizations restrict lateral movement between zones • How can we make this a reality? 7
  8. 8. Which Platform Do You Use To Manage Your Private Cloud / Virtualized Data Center? • Vmware NSX • Cisco ACI • Microsoft Hyper-V • Other • We Don't Have A Virtualized Data Center POLL Please vote using the “votes from audience” tab in your BrightTALK panel 8
  9. 9. SEGMENTATION CHALLENGES 9
  10. 10. CHALLENGE #1: INTRODUCING CHOKE POINTS • In the traditional data center: a major effort • Hardware, cabling, reconfigure switching and routing • In a virtualized, software-defined, data center: • Built-in firewalls as part of the infrastructure • No extra hardware needed • Software-Defined Networking ✓ 10
  11. 11. CHALLENGE #2: ZONING • How many zones to define? • Which subnets should reside in each zone? 11
  12. 12. A ZONING TRADE-OFF • Traffic inside each zone remains unrestricted • For better security, define many small zones • “Micro-segmentation” • But: need policy (rules) between every pair of zones • “Allow service X from zone 1 to zone 2” • N zones ==> N*N traffic directions • For better manageability, define a few large zones 12
  13. 13. CHALLENGE #3: FILTERING POLICY BETWEEN ZONES • Traffic inside each zone is unfiltered: allowed • … traffic between zones must be explicitly allowed by policy • Goal: write policy to allow legitimate zone-crossing traffic • Challenge: discover and characterize this traffic • Did you know: VMware NSX’s default policy is “allow all” • Works around the challenge • … But is completely insecure ✓ 13
  14. 14. APPLICATION-AWARE SEGMENTATION 14
  15. 15. THE BUSINESS-APPLICATION PERSPECTIVE • East-West traffic is generated by business applications • Each business application has: • Servers supporting it • Clients accessing it • Business application connectivity requirements: • Server-to-server traffic flows • Client-to-server traffic flows 15
  16. 16. SEGMENTATION FOR BUSINESS APPLICATIONS • Human-accessible systems: in a separate zone from servers: • Desktops / Laptops / Smartphones • Servers belonging to an application, that communicate with each other: • in same zone • Infrastructure servers, that support multiple applications: • in a dedicated zone 16
  17. 17. PLANNING NETWORK SEGMENTATION: BLUEPRINT • Discover business applications’ connectivity requirements • Select number of zones, and their characterization • Based on applications’ flows, assign subnets to zones • Write filtering policy (rules) allowing zone-crossing flows • Avoid breaking business applications’ connectivity 17
  18. 18. DISCOVERY 18
  19. 19. IS YOUR ORGANIZATION WELL-DISCIPLINED? If: • All applications are documented • Applications’ connectivity requirements are documented • Documentation is machine readable Then “discovery” is easy! • What if documentation is missing / outdated ? ✓ ✓ ✓ 19
  20. 20. DISCOVERY FROM TRAFFIC 20
  21. 21. DISCOVERY RESULTS: ANALYTICS ON SNIFFED TRAFFIC 21 21
  22. 22. ZONE-CROSSING TRAFFIC: HIGH LEVEL POLICY 22
  23. 23. DOCUMENT: THE CONNECTIVITY MATRIX Allowed traffic between every pair of zones 23 23
  24. 24. ZOOM IN: FROM/TO THE PEER DMZ 24
  25. 25. DEMONSTRATION OF MICRO-SEGMENTATION WITH ALGOSEC 25
  26. 26. IMPORT INTO BUSINESSFLOW 26 26
  27. 27. 27 27
  28. 28. 28 28
  29. 29. 29
  30. 30. 30
  31. 31. 31
  32. 32. VISIBILITY 32
  33. 33. 33
  34. 34. 34
  35. 35. Enforcing Micro Segmentation 35
  36. 36. 36
  37. 37. 37 37
  38. 38. MAINTENANCE OF THE SEGMENTATION 38
  39. 39. MAINTENANCE OF THE SEGMENTATION • Zoning remains stable over time • … but application connectivity requirements evolve • … so filtering policies need to change over time • Need application-aware and segmentation-aware change management processes • Need visibility that filtering policies comply with zoning 39
  40. 40. 40
  41. 41. CONNECTIVITY SPREADSHEET 41
  42. 42. 42 42
  43. 43. SEGMENTATION-AWARE CHANGE PROCESS 43
  44. 44. NORTH-SOUTH TRAFFIC • Hybrid network: • Software-defined data center • traditional networking outside data center • Application connectivity is also north-south • Goal: Single change workflow for all filtering technologies 44
  45. 45. • Identical for North-South and East-West • Indifferent to network technology • Abstracts away filtering device details 45
  46. 46. • Outside data center (traditional) 46
  47. 47. • Inside data center (virtualized) 47
  48. 48. 48
  49. 49. • AlgoSec Standard risks + • User-defined risks + • Connectivity spreadsheet violations • What-if risk check, before changes are implemented 49
  50. 50. What are your plans for filtering east-west traffic? • Already implemented • Planning to implement over the next 6 months • Planning to implement over the next 6-12 months • No plans POLL Please vote using the “votes from audience” tab in your BrightTALK panel 50
  51. 51. SUMMARY Plan • Discover business applications’ connectivity requirements • Design zoning, write policy for zone-crossing flows • Document in connectivity matrix Maintain • Visibility, automated comparison to connectivity matrix • Segmentation-aware change process 51
  52. 52. MORE RESOURCES www.algosec.com/resources WHITEPAPERS Prof Wool CoursesDATASHEET 52
  53. 53. THANK YOU! Questions can be emailed to marketing@algosec.Com

×