Application Segmentation

Beyond SDN: Micro-Segmentation, Macro-Segmentation or Application-Segmentation Part-2

scottcschweitzer Microsegmentation , , ,

Large publicly traded companies like Cisco, EMC (VMWare) and Arista Networks are deeply entrenched with their customers giving them a beachhead on which they can fairly easily launch new products. Since their brands, and value is well understood and established it’s often a matter of just showing up with a product that is good enough to win new business. By contrast, start-ups like Illumio and Tufin have to struggle to gain brand recognition and work exceptionally hard to secure each and every proof of concept (PoC) engagement. For a PoC to be considered successful these new startups have to demonstrate significant value to the entrenched players as they also need to overcome the institutional inertia behind every buying decision.  So how are Illumio or Tufin any different, and what value could they possibly deliver to justify even considering them? While both Illumio and Tufin are focused on making enterprises and the deployment of enterprise applications more secure, they each leverage a dramatically different approach. First, we’ll explore Tufin, then Illumio.

Tufin has a feature called the Interactive Topology Map, which enables them to traverse your entire physical network, including your use of hybrid clouds to craft a complete map of your infrastructure. This enables them to quickly display on a single pane of glass how everything in your enterprise is connected. They then offer visual path analysis from which you can explore your security and firewall policies across your network. Furthermore, you can use a sophisticated discovery mechanism by which you select two systems, and it explores the path between them and displays all the security policies that might impact data flows between these two systems. In actual practice, as you define an application within Tufin you can leverage this sophisticated discovery or manually define the source, destination, and service. Tufin will then show you the status of the connection, at which point you can drill down to see what if any components in your infrastructure require a change request. They then have a six-step change ticket workflow: Request, Business Approval, Risk Identification, Risk Review, Technical Design, and Auto Verification. To date they appear to support the following vendors: Cisco, Check Point, Palo Alto Networks, Fortinet, Juniper, F5, Intel Security, VMWare NSX, Amazon Web Services, Microsoft Azure, and OpenStack.

By contrast, Illumio takes a much different approach, it designs security from the inside out with no dependencies on infrastructure. They attach an agent to each enterprise application as it is launched. This attached agent then watches over every network flow into and out of the application and records exactly what the application requires to be effective. From this, it computes a security policy for that application that can then be enforced every time that application is launched. It can then adapt to workflow changes, and it also has the capability to encrypt all data flowing between systems. While their videos and data sheets don’t specifically say this it sounds as though they’ve placed a shim into the network OS stack hosting the application so that they can then record all the network traffic flow characteristics, that’s likely how they support on the fly encryption between nodes. They do call out that they use IPTables, so it is possible that their code is an extension of this pre-existing security platform. Clearly, though they are just above the adapter, and Jimmy Ray confirms this in one of his awesome videos that Illumio is based on an “adapter security platform” view. Illumio then provides an enterprise management application to gather the flow data from all these agents to craft, and manage its view of the network.

So while Tufin looks into your network from the outside and enumerates what it finds, Illumio looks from the application out. Both are impressive and yield interesting perspectives worthy of evaluating. Moving forward both are tuned to delivery Application-Segmentation, it will be interesting to see how the market evaluates each, both had strong presences at RSA2016, but it will ultimately be revenue from customers that determines success.

Beyond SDN: Micro-Segmentation, Macro-Segmentation or Application-Segmentation Part-1

scottcschweitzer Microsegmentation

Software Defined Networking (SDN) originally came out of work done to extend the functionality of the Java software framework as early as 1995. In 1998 a number of the key people from Sun Microsystems and Javasoft left to found WebSprocket the first commercial implementation of SDN. Two years later Gartner had recognized SDN as an emerging market and created a new category to track commercial efforts engaged in this space. Now some 15+ years later we have cyber warfare, espionage, and financially motived hackers constantly questing for the chewy center that is our enterprise data. While SDN has addressed some of the deficiencies found in the perimeter only systems, it’s still not comprehensive enough. Some have proposed, and possibly even implemented, setting up zero-trust zones for key enterprise servers where the default policy for access to these systems is “Deny All”. Then as applications are added to a server, specific access controls are added to the switch port of that server to enable the new functionality. The problem with this approach is that it can quickly become very tedious to craft and daunting to maintain. This still leaves several problems.

The smallest practical unit on which security can be applied is the IP address, while a switch can have different policies for each Virtual Machine’s (VM) unique IP address the switch itself will never see VM to VM traffic within the same server. Using switch Access Control Lists (ACL) to enforce security policies at the application and server port layers can quickly tax a switches Content Addressable Memory (CAM). Finally, we have maintenance, can you quickly resolve why a given switch or firewall has a specific security policy or rule? Most organization are incapable of knowing the origin of every single rule as often there is no centralized, cross-vendor, auditable database that exists.

To address some of these issues VMWare and Cisco crafted a new approach they named Micro-Segmentation which defines a new overlay framework where a software management layer takes control of both the hypervisor’s virtual soft switch and the enterprise switching fabric providing a single management perspective. VMWare branded this NSX, and it offers three major advantages: management to the virtualized Network Interface Card (NIC), automated deployment of the security policy with the VM, extending the management framework to include legacy switching. Including legacy, switching isn’t just for compliance, but it’s to address all the issues around deployment across the entire enterprise. Cisco calls this Application Centric Infrastructure (ACI).

Not wanting to be left out of the post-SDN ecosystem Arista Networks added to this by crafting a Macro-Segmentation view. Rather than using an overlay framework instantiated as a series of services woven into hypervisor they are leveraging existing firewall services in both software and hardware. These firewalls can then be easily stood up or reconfigured between servers by leveraging existing software & hardware from well-established firewall vendors like Fortinet and Palo Alto Networks. Actually weaving together a management layer that includes switching and firewalls is much more coherent.

The best solution though resides somewhere between Micro-Segmentation and Macro-Segmentation, and some have called it Application-segmentation. Because in the end, all we really care about is the security of the applications we deploy on our infrastructures. So while VMWare, Cisco & Arista have taken a sort of bottom-up approach, a new breed of network security orchestration applications from companies like Illumio and Tuffin have entered the fray taking a top-down, an Application-Segmentation approach to the same problem. More on this to come in Part-2 of Beyond SDN.