Security

Get a Quick Primer on How Microsegmentation Can Improve Network Security

A strategy that relies on segmentation and app logic to create smaller zones can make security more granular and nimble.

Keith Townsend

Twitter

Keith Townsend, an enterprise infrastructure architect, is also well known as the CTO Advisor blogger. Find his advice at thectoadvisor.com.

For any company that’s been through a Payment Card Industry Data Security Standard audit, the IT team knows the pains of segmenting a data center into security zones.

For those that have not participated in a PCI DSS audit, here’s a quick take: At a high level, payment card data resides in a secure network segment. In theory, if a lower-level security zone experiences a compromise, firewalls protect the PCI compartment.

But recent intrusions illustrate that this is a flawed model. If a single host becomes compromised, the implicit network trust within the PCI zone becomes a liability. Virtualization and microsegmentation offer mechanisms to shrink the zones and create smaller security pools. But there are additional advantages to microsegmentation beyond merely limiting a network’s attack surface.

To establish an end-to-end, zero-trust network where security policies are applied regardless of workload location requires microsegmentation at scale. Before getting into the details of such segmentation, it’s important to discuss network virtualization as an aspect of this work — or even a precursor.

The Need to Create Logical Network Security Zones

Once the shackles of the physical network fall to the side, security architects redesign security based on logical policy versus physical location. In traditional edge-based security models, IT designs typically assign workloads to zones based on physical firewall design. Security rules rely on the physical interfaces of the firewall to protect traffic flow.

In a virtualized network, the physical location of workloads doesn’t matter. Security architects create zones based on application traffic flow. Because the virtual network is an overlay of the physical network, security administrators create security zones based on application logic versus the physical attributes of the network.

The ability to control security by app logic enables a new approach to security validation. Microsegmentation offers an abstraction that exists as part of other cloud-like technologies.

Network Virtualization Changes the Attack Surface

Security organizations test two aspects of their network security. The first layer of verification is the validation of zero trust. Since application flows are understood, network port scans run against virtual machines. The results of scans validate the intended flows.

This first layer builds confidence in the microsegmented network. The great security risk and focus of test and remediation moves to the application layer. There are practical advantages to moving focus to the higher abstractions.

Not much changes in penetration testing of the application. The risk of jumping from one security zone to another lessens with microsegmentation. If an application running on a VM experiences a security event via stolen credentials or vulnerability, the resulting attack surface is the localized operating system and permitted application traffic within the zone.

It’s important to note that while network virtualization reduces the attack surface of the network, it increases the administrative attack surface. Because the hypervisor replaces the physical network, you must secure access to it.

Most organizations will continue to segregate responsibility of the network from the VM environment.

Security engineers must work with virtualization engineers to design hypervisor policies that properly segment responsibility — without restricting access to the point of adversely impacting operations.

Defining Network Security Zones Is Critical

Security based on microsegmentation will only be as effective as the size of the zones. The smaller the zones, the lower the overall risk. But the smaller the zones, the larger the administrative burden. Why? Because more security rules and policies will be necessary.

No one-size-fits-all approach applies across organizations. Each organization’s data policy and risk tolerance will dictate security zone design. A great thing: The technology is no longer complicated.

Remember, microsegmentation is just a tool. The value of a good security team comes from understanding application flows and design policies given the new capability of virtualization and segmentation.

Do You Need to Better Defend the Hypervisor? Maybe

While microsegmentation reduces the attack surface of the network, many question the security of the hypervisor.

One topic that raises its head every few years is “VM escape.” Virtual machine escape occurs when a guest running on a hypervisor is compromised, and then allows for compromise of the hypervisor host.

In theory, if a VM host gets owned, it’s the equivalent of placing an intruder in the middle of the data center with physical access to all of the hosts, storage and networks within it. Recently, VMware announced a vulnerability in both VMware Workstation and ESXi. It’s important to note why one is alarming and the other isn’t.

As a back story, a researcher at the computer hacking contest Pwn2Own successfully compromised a Microsoft Edge browser running inside a Windows 10 VM on a Windows 10 VMware Workstation host. The researcher then leveraged a virtual hardware vulnerability to escape the Windows 10 VM sandbox. Once the VMware hypervisor falls, all the guest VMs running on the host become vulnerable.

According to VMware, all VMware hypervisor platforms are susceptible to the vulnerability. The major difference is the platform targeted. Escaping to a general purpose OS versus a hardened hypervisor such as vSphere are two completely different levels of risk.

vSphere has many additional layers of security within the OS compared with a general OS, such as Windows or Apple OS X. The attack surface for Windows is much larger than that of vSphere. Therefore, there’s little risk of VM escape impacting vSphere environments.

Nonetheless, virtualization teams should still take precautions such as following hardening guides for their target hypervisors. If your environment leverages a hypervisor running on a general purpose OS, you will want to ensure that you don’t run unnecessary services on VM hosts.

David Vogin