In a traditional network, the concept of segmentation is done through different mechanisms such as Zoning, Firewalls and VLAN etc. The core idea as implied through segmentation is separation, isolation and effective control to further limit movement across network. Micro-segmentation, as the name implies, takes this concept to granular level allowing separations of workload dynamically and even limiting process-to-process communication where applicable. The proponents of micro-segmentation argue that network is unaware of application and databases that are running within its perimeter and hence, segmentation mechanisms may not be effective curtailing attacks in applications or databases. Some even goes as per as suggesting that Firewalls are too cumbersome and inflexible for dynamic nature of today’s cloud system. Hence, something more adaptive and dynamic is needed that can be limit hacker’s exploitation to perhaps single application than multiple applications or databases. There are numerous tools available to create visibility and limit attacks in applications using micro-segmentation method. Micro-segmentation is based on idea of stopping lateral movement in case of an attack. Micro-segmentation, as it’s name implies takes the concept of isolation, segmentation and security at very granular level. In data center, the concept of this “Granular Segmentation” is applied to hypervisor, container and microservices level whereas in a traditional network deployment such concept can be applied to network slicing, e.g. network slicing for 5G transport. Second and most important principle of micro-segmentation is “Dynamic Segmentation” that enhances former with threat intelligence and dynamic implementation of policy enforcement when a threat is detected.
Micro-segmentation in Networks
Much of discussion related to micro-segmentations are focused on data center and even in scholarly literature, there is a gap on discussion related to how micro-segmentation can be applied to network level. Like zero trust, micro-segmentation is also a model that can be applied to any segment of networks. For this discussion, let us consider 5G network as an example. In a standard deployment, network slicing is used to isolate and restricted through a logical instantiation of a physical network with all the needed functionalities that is needed for running a given service. Network slicing can be implemented in number of ways such through VPN tunnels, network overlay and/or using Segment routing in conjunction with VPN or network overlay protocols. As 5G is offering higher bandwidth and enhance user experience, a number of services can be implemented each having their own services and thus network slicing become useful. In the figure below depicts typical network slicing for 5G implementation allowing traffic distinction, segmentation and isolation. Service provider may implement appropriate QoS and traffic shaping for each network slice. As shown in the figure, traffic for industrial IOT, Autonomous Vehicle, Devices and mobile phones can be isolated and assigned to their respective network slice. Network underlay can be either IPV6 or MPLS, Segment Routing can provide effective traffic path while VPN tunneling e.g. VPLS, L2VPN and overlay protocol such as VxLAN can be used for segmented transport of each network slice. Such isolation and restrictive traffic treatments make network slicing very effective.
Figure 1. Network slicing example for micro-segmentation.
Each network segment can be further granularized with appropriate security policy for each (figure 2). For example, traffic processing at the MEC (Multi-access Edge Computing) or edge micro data center can implement AAA (Authentication, Authorization & Accounting) entity for each network slice and further granularizing at given NFV (Network Function Virtualization) level. However, AAA functionality of a micro-segment should not be heavy so to avoid complexity. For instance, massive IOT deployment does not require features such as handover or location update, which are being used with mobile devices (Mämmelä et. al, 2016). This is because such IOT service connects immobile sensors to measure different parameters such as humidity, precipitation and thus mobility is not required, however security is critical.
Figure 2. Typical implementation of micro-segment in 5G Networks: Micro-segmentation for IOT network slice.
The figure 2 depicts an example of micro-segmentation in a single domain that is built on top of LTE FWA architecture. In this example, one general IOT network slice and two micro-segments are created, one for smart metering and the other for personal health.
Micro-segmentation in Workloads and Applications
While micro-segmentation and dynamic perimeter defense such as Software Defined Perimeter (SDP), provides protection against lateral movements within the networks, hackers access to precious data can be further restricted through the implementation of micro-segmentation at workloads, applications and even hypervisor level. In a traditional data center design, segmentations are done based on consideration that traffic is “north to south” meaning user access to server or client to server traffic. For such segmentations, standalone Firewall and zoning techniques are used to enforce security policy. This adds undue complexity and performance issues to modern data center design where more than 70% of traffic are “East to West” or “West to East” meaning “server to server”. Communications between servers to servers are often get chocked due to hair-pining of east-west traffic at standalone firewall. As shown in figure below, VM to VM traffic for the same rack or across the racks are required to pass through standalone firewall and subject performance issues. Additionally, more rules in standalone firewall are difficult to keep track and overtimes becomes cumbersome to manage.
Figure 3. Firewall is inadequate to create effective segmentation in modern data center due to east-west traffic pattern.
Network centric segmentation that are implemented through standalone firewall is subject to two key operational barriers: throughput capacity and security management. However, there are variations of network centric segmentation known as “Network Fabric based” micro-segmentation that allows further granularization and dynamic security policy assignment at granular level. One example of such implementation is Cisco® ACI™. However, the limitation of such approach is that it only works for Cisco switches and cannot be integrated with third party network devices.
Today, data center applications deployments are dynamic meaning VM instances and associated applications can be spin up and down instantly. If firewall rules need to be manually added, deleted, and/or modified to accommodate this dynamic nature of VM deployments, rate of change in firewall will quickly overwhelm IT operations. However, such firewall rules are dynamically implemented at hypervisor and host based micro-segmentation model. Proponents of hypervisor and host based micro-segmentations argue that dynamic firewall rules at hypervisor and host level does not impact performance the way it would for centralized firewall. More importantly, with hypervisor and host based micro-segmentation path between applications can be further restricted through firewall rules and only access can be granted through approved path. In this way, if hacker mange to attack a single application the exposure can be limited to that application only.
Micro-segmentation can be implemented in two ways:
Agent-less: This approach generally depends on existing third-party APIs, span ports and netflow etc to collect and control traffic. This mechanism allows the possibility to collect visibility flows, contexts and alerts which in turn can be used to set security policies. Many networking devices that support standard interface like netconf for SDN (Software Defined Networking) can be integrated with an orchestration platform to create security policies for micro-segmentation. In a typical environment, a controller namely “packet handler” can perform this job by applying policy to handle particular characteristics of a traffic flow. As shown in figure below, the packet handler connects to different
Agent-based: In contrast, agent-based approach uses a small footprint microcode to be placed in network devices and servers within userspace of the underlying OS. An API can collect required information for security policies to be implemented. Agents can be deployed through existing management and automation tools such as Ansible, Chef, Puppet, SSCM or built into cloud workload templates.
How it works?
Implementation of micro-segmentation is typically realized through seven steps (Klein, 2019):
Discovery and identification: The critical task before deploying micro-segmentation is to undergo discovery process is finding the information about applications and processes running within the data center and traffic paths. This requires deep visibility into data center assets.
Dependency mapping: Next, relationships among the data center assets need to be identified. This process can be simplified and accelerated with the aid of graphic visualization and mapping tools.
Grouping of applications for Security policy: Once application dependencies are identified, operators should devise logical grouping for given application in order to create appropriate security policies. For example, web applications can be logically group together for specific security policy to be applied than those would be applied to logical group of HR or finance applications.
Security Policy implementation: Once logical grouping of application is done and operator has consideration on specific rules that are needed to be applied to these logical group of applications, micro-segmentation policies can then be created, tested and refined as needed for each logical group.
Deployment of Security Policies: Once the security policies are created for each logical groups, Operators should consider deploying security policies in phases as not to disrupt appropriate user access to given applications.
Monitor: System administrator should continue to monitor for anomalies in the network or application access. For example, if web applications are shown to be accessing data from HR applications or traffic are flowing between the two distinctly different logical group of application that normally should not be, admin must immediate take action to restrict such traffic or access. Continual monitoring is critical in enforcing security policies.
Enforcement: As discussed, system admin must monitor for anomaly detection, as such can be automated through software during the policy creation phase; administrators can establish rules to trigger a specific enforcement response when a threat is detected.
Despite the vendor claiming to provide adequate security measure to protect network (e.g., workloads and applications), no single micro-segmentation product or solution is good enough. For example, network fabric, hypervisor and host based micro-segmentation may protect against L2 – L4 level attacks but those products alone cannot protect against L7 level attacks that may require integration of third party NextGen Firewall components. It is advisable that operators consider these facts first before implementing specific products or solutions. Overall zero trust policy needs careful formulation for which micro-segmentation is a subset but it does not entirely protect overall IT assets.
- Klein, D., 2019. Micro-segmentation: securing complex cloud environments. Network Security, March, 2019, GuardiCore.
- Mämmelä, O., Suomalainen, J., Ahola, K. & Vehkaperä, 2016. Toward Micro-segmentation in 5G Network Security. Conference Paper. ResearchGate.