<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1128080247322235&amp;ev=PageView&amp;noscript=1">

Gyrocom Blog

Ryan Coombes

Micro-segmentation in a Nutshell

by Ryan Coombes

on Dec 18, 2014 11:12:00 AM

Micro segmentation is the latest hot topic within the industry, based upon achieving a truly secure enterprise environment. As many modern breaches have proved, a perimeter-centric network security strategy for enterprise data centers is no longer adequate!

To understand micro-segmentation you first have to understand the way an enterprise environment is currently secured. Today most environments adopt a “Castle Model”, which is a perimeter gateway firewall that secures all the users and the hosts within an enterprise. All systems and sources of information that sit behind these perimeter firewalls are then trusted.

Micro segmentation, however, employs a new model termed the ‘Hotel Model” where all users and hosts within an environment essentially have their own “room” keys. The basis for this model is one of zero trust and all communications are secured.

Castle_VS_Hotel

Generally within a data centre, centralised firewalls are deployed with large rule bases and traffic is then steered to these centralised firewalls between segments or hosts. This causes a lot of tromboning of traffic, meaning traffic is typically steered from a host, down through the network, to the firewall and then back up to its destination. Micro segmentation eliminates this tromboning effect by replacing this North to South type traffic with East to West traffic, whereby communication between hosts is now dealt with within the hypervisor.

Micro-segmentation also enables Layer-2 to Layer-4 firewalling, particularly within VMware NSX. Layer-4 to Layer-7 firewalling is covered by third parties or service integrations with security vendors such as Palo Alto Networks.

The other key advantage of micro-segmentation is its dynamic updates of firewall rules. As a virtual machine (VM) is moved from host-to-host the rule or the object within the firewall is moved along with that particular VM; equally, if a particular VM is deleted, any rules that are associated with that VM are deleted along with it, keeping the rule base exceptionally tidy. Within a centralised model these rulebases would have to be continuously maintained. The resulting effect is that more often than not the rulebase ends up being ignored, likening a centralised firewall model to a block of Swiss cheese, riddled with holes meaning any money being spent on its real purpose is pretty much rendered useless.

The key benefits of deploying micro-segmentation include:

  • Agility- speedier time of deployment
  • Flexibility- no longer need to worry about manual rulebases
  • Next Generation Security- most security rules are now object based, so are not tied to IP address’ or to particular VMs but instead to the application that it’s serving.

When it comes to the business case, network micro-segmentation is not only operationally feasible using VMware NSX, but crucially cost-effective, enabling the deployment of security controls inside the datacenter network for a fraction of the hardware cost.

To find out more about micro-segmentation and how it is possible with VMware NSX, sign up to our free VMware NSX Lunch and Learn event here.

Download NSX eBook HERE

Topics: VMWare NSX, Micro-Segmentation, Network Virtualisation