Advanced security through Micro-Segmentation in the modern datacenter

    The modern datacentre is changing and with it, the security threats.  Traditionally security was focused at the perimeter of the datacentre but security threats have evolved to the point where perimeter security cannot be the only focus. 

    Recently publicised ransomware attacks highlighted this more than anything, once a machine within the network was infected the malware quickly spread across the network with little resistance. 

    Virtualisation overcame many challenges making the datacentre more efficient and scalable, freeing up the technical staff to concentrate on more pressing issues, such as security. 

    With advancement in technology inspired by the public Cloud, the enterprise datacentre is evolving to a software defined datacentre model, moving not only computer but also network and storage contexts into software defined, allowing for agility, scalability and automated datacentres that are similar to public cloud platforms. 

    Traditionally security has been an afterthought but as the recent ransomware attacks have shown that can’t be the case anymore.

    With network virtualisation, networking contexts such as switching, routing, load balancing and security can all be automated and controlled through software policies.  The term Micro-segmentation is the security technique that provides workload protection “East-West” that is not just at the perimeter of the network but also inside of the network.

    The large majority of data flows in the datacentre is East-West data moving from within the datacentre rather than communicating with external sources.  Traditionally securing East-West workloads required a lot of effort and management that included physical firewalls and multiple access lists to manage, which presented a lot of operational challenges and a high total cost of ownership.

    By using network virtualisation, this east-west security enforcement is moved into software and can be controlled through centralised policies.  Policies can be assigned to workloads to ensure all workloads fall into security compliance.  Policies can be automatically added to workloads simply by the object type or through things such as security tags which automatically applies the relevant security for the workload.

    Using a policy driven software approach for security allows for a “zero-trust” model for the datacentre, meaning a workload such as a web server or an application server can only ever communicate with the services they need to be able to function, while all other access is blocked by default.  Reducing the attack surface this way for the datacentre has to be a key strategy in any modern data centre.

    VMware NSX provides network virtualisation and with it, policy driven micro-segmentation.  VMware NSX integrates directly with VMware vSphere hypervisor and applies network constructs along with the associated security policies direct to the VM.  Applying a firewall at the VM level makes it more efficient for data flow but also management.

    As the security is managed via policies it can be dynamically assigned to workloads and allows for persistence no matter what underlying hardware the VM is running within the datacentre and even across multiple sites.  Security persistence can also still apply in a DR situation, as the policy is recovered with the VM during a failover and with VMware’s recent partnership with AWS security, persistence can now stretch these security features into the AWS public cloud.

    Taking the protection further

    VMware NSX offers tight integration with established 3rd party security vendors such as Trend Micro and Palo Alto to not only integrate with existing datacentre solutions in place, but also to add further features to software defined network constructs within NSX.

    Using these solutions, it’s possible to do agentless malware protection for all VMs within the datacentre where scanning and removal of malware is done at the Hypervisor level, reducing un-necessary resource consumption and therefore the costs.  If malware is detected on the VM, a security tag is added to the VM and NSX can automatically block all traffic to and from that VM which will be isolated using a quarantine network.  The administrator can then investigate the problem and remediate without the risk of further spread of the malware from one VM to another.

    This is particularly powerful when integrated with a VDI product such as VMware Horizon. With Horizon, desktops are virtual and can be stateless clones of an offline protected gold image. Therefore, should a clone get infected with malware such as ransomware the desktop will be automatically quarantined through NSX, and as the desktop is stateless it can simply just be destroyed, and the user simply logs onto another clone with their data intact.

    VMware NSX 3rd party integration solutions also provide further advanced features such as web reputation, intrusion prevention and integrity monitoring.

    Knowing what to protect

    Knowing what traffic to block and what traffic to allow East-West is critical but it can also seem an impossible task within larger organisations.  Insight can assist with the process and offer a free assessment to monitor the existing network flows and report on exactly what services communicate together and critically on what port.  Using this data, Insight can also advice on how NSX can provide security policies to match these flows to apply the zero-trust model to your environment without affecting production services.

    The assessment runs on VMware vRealize Network Insight and pulls vital information of the traffic flows together for review.  Traffic details such as host – destination IPs on what port and protocol for all traffic East-West but also what is going external.

    Additional information on this free Insight Virtual Network Micro-Segmentation Assessment can be found here

    Insight can also provide advice and guidance on how to use VMware NSX, along with various other 3rd party security products as mentioned above to achieve maximum security within your data centre. Our solutions architects have vast experience designing modern day software defined data centre and private cloud solutions with security built in at every component level of the platform. If you would like to have a discussion or a free consultation with one of our solutions architects, please get in touch with your Insight account manager.