Senior Research Analyst
Rob Brooks is senior research analyst on Optiv’s partner strategy & research team. In this role he responsible for administering Optiv's private cloud as well as vetting security products.
Using Micro-Segmentation to Protect Your Data – Part 2
In my previous blog post, I discussed core concepts of micro-segmentation and the technology companies whose products make up the foundation of the space. In this post, I will cover technology providers whose products integrate within the micro-segmentation space, as well as various concepts around the products.
While micro-segmentation, software-defined networking (SDN) and software-defined data center (SDDC) technology providers VMWare, Cisco and Amazon Web Services provide the core foundation of the space, other technologies that integrate and enrich the space exist. These include firewalls, enhanced workload visibility and automated deception/incident response (IR) capabilities. Some of these products natively integrate into the core providers’ technology stack while others integrate through the use of agents or software within each host.
As previously stated, firewalls are one of the primary integrations that happen within micro-segmentation/SDDC implementations. Leading micro-segmentation firewall providers include Palo Alto Networks, Fortinet, Cisco and Checkpoint. Other less commonly implemented firewall providers that integrate into micro-segmentation environments include Juniper, SonicWALL, Sophos and Huawei.
Firewall implementations in SDDC environments typically involve registering the virtual device as a service, and based on policy, traffic is steered to the firewall as needed. Palo Alto Networks is one of the most commonly used firewalls in software-defined networking implementations involving VMWare’s NSX. The joint solution leverages VMware NSX to fully automate the provisioning and deployment of the Palo Alto Networks VM-Series Firewall. This allows organizations to protect their applications and data from today’s advanced cyber attacks.
In the NSX use case, with the help of Panorama, a Palo Alto VM-Series firewall is registered as a service with VMWare NSX Manager and provisioned to each ESXI host within the compute cluster. This solution delivers the following capabilities: independence from networking topology; next-generation security protection for virtualized applications and data; seamless traffic steering to next-generation security; dynamic security policies based on application, content and user; and multiple security policy sets within the SDDC environment. As new VM hosts are provisioned, the NSX Manager dynamically provides Panorama with the relevant IP information so that the firewall policy is updated. Traffic steering rules are tailored via the VMWare Network Introspection Service. Security policies follow ephemeral systems in a cloud environment and are secured through Palo Alto features such as App-ID, URL Filtering, Wildfire and Threat Prevention.
Similar to Palo Alto’s VM series deployment in a VMWare NSX environment, Fortinet’s FortiGate VMX firewall also is deployed as a service through direct API integration with VMWare’s NSX Manager. All hosts in the designated compute cluster are auto-deployed with FortiGate VMX VMs and automatically licensed. FortiNet’s Virtual Domain (VDOM) technology, which allows for the segmenting of single FortiGate units into multiple instances, also is available with the VMX firewall. FortiGate VDOMs can be used for multi-tenancy use as well, preventing the need for a separate security technology for each tenant hosted in the environment.
Illumio’s Adaptive Security Platform (ASP) is a micro-segmentation product that provides policy enforcement and live visibility of applications, systems and network flows. ASP is platform independent, can be integrated into bare metal systems, virtual machines and containers, and can function in private data centers and hybrid/public cloud infrastructures. Logic for ASP is controlled by the Policy Compute Engine (PCE). As the centralized point of control for ASP, the PCE receives inputs from various infrastructure and workload components (e.g. IPs, services, ports, traffic flows) and analyzes this data using graph theory. The output from this analysis is the Illumination application maps and adaptive segmentation policy. Segmentation is enforced in a workload through the use of a lightweight agent, called the Virtual Enforcement Node (VEN). The VEN continuously communicates with the PCE to apply an application-centric adaptive segmentation policy throughout the environment.
Guardicore’s Centra Security Platform is another third-party, micro-segmentation product that allows for enhanced workload visibility as well as providing segmentation policy and breach detection, deception and response capabilities. Centra utilizes a lightweight agent on bare metal systems as well as virtual machines and can integrate directly with VMWare ESXI hypervisors. Context visibility of each flow (e.g. workload, process, user, hash, etc.) is provided. Micro-segmentation is made possible through the integrations with VMWare NSX and Checkpoint vSEC Virtual Gateways, and is made possible as a result of the workload visibility provided. A differentiator with Guardicore is Centra’s threat deception capability, which allows for the provisioning of full-featured, decoy/honeypot workloads within cloud environments. Integration with VMWare NSX allows Centra to dynamically respond to attacks by quarantining systems if needed and removing malicious files as they are detected.
As enterprises continue to expand their virtualization capabilities and migrate more workloads to the cloud, micro-segmentation/SDDC utilization will continue to proliferate. It’s estimated that 75 to 80 percent of enterprise traffic is of East/West nature and the ability to segment by application or data flows, as well as a way to provide visibility is critical. Amazon Web Services and Microsoft Azure will continue to provide vital cloud-enabled services but third-party micro-segmentation solutions help enrich the space and provide functionality that core technology is unable to provide.