How Useful Is Microsegmentation?

Got an interesting microsegmentation-focused email from one of my readers. He started with:

Since every SDDC vendor is bragging about need for microsegmentation in order to protect East West traffic and how their specific products are better compared to competition, I’d like to ask your opinion on a few quick questions.

First one: does it even make sense?

In most cases, all they implementing is our old day friend ACL which at most can look into Layer 2-4 parameters. I am not a security expert, but what percentage of attacks today in Cyber Security Advance Threats realm really rely upon just opened holes as port numbers access?

Let's just say that limiting access to services that are needed to actually run an application stack is a huge improvement over "let's put all web servers in the same VLAN because we don't want to configure a web VLAN per application" state-of-mind we see in many data centers today.

I'd love to be an intruder hitting such a data center. All I'd have to do to have all the fun in the world is turn on IPv6.

For more details on 50 shades of firewall statefulness watch the Virtual Firewalls webinar (part of ipSpace.net subscription).

For example, if I put myself into shoes of an attacker to play role of devil’s advocate, I would not try to gets access to web server from outside just because web port is opened, but rather to hide my exploit code in payload and trigger it with some mechanism from outside.

That's why you'd implement a decent set of protections in the public-facing segment, harden your servers, deploy WAFs... Within the data center you don't have the CPU power to do more than basic hygiene (or it becomes too expensive).

Deep packet inspection firewalls consume on order of 4 CPU cores to filter 1 Gbps of customer traffic. A single 1RU data center switch provides terabits of bandwidth. Do I need to say more?

Also, my understanding is that in most cases when a major breakout happens, those are usually targeted on specific vulnerabilities and not that they exploit let’s say Web vulnerabilities first and for more fun later try to exploit Data Base as most of such attacks in my opinion have targeted hosts in mind with Automated deployment design in mind.

OK, let's assume you have a 0-day exploit for Apache server. Next thing you know, you own all the web servers. Game over.

You also have a SSH 0-day exploit... but guess what, you can't SSH from servers running Apache to adjacent servers running nginx (or mysql) because someone actually implemented microsegmentation.

OTOH if all microsegmentation does is to give some protection by blocking unnecessary access, we can still use traditional tools like Private VLANs, Protected Ports or an IPS as Intermediate devices between Segments to get things done one way or another.

Can I invoke RFC 1925 rule 4? ;)

Try implementing private VLANs in a large multi-layer data center fabric with many apps (and proper segmentation, not just "let's send everything to the first-hop router just because") and let me know how well it works.

Also, from the Roman times there's the concept of "divide et impera". Having a tightly focused ACL in front of every server is infinitely (admittedly for some small value of infinity) more manageable than having a 10.000 line ACL sitting on your core router.

As for the IPS idea, they have similar bandwidth-per-CPU-core ratios as DPI firewalls. I don’t think you can afford them at the data center fabric speeds.

Want to know more?

There are two major products promising the nirvana of microsegmentation: VMware NSX and Cisco ACI. I’ll highlight their high-level differences in the introductory session of VMware NSX, Cisco ACI or Standard-Based EVPN, and cover VMware NSX in more details in the DIGS event and workshop on April 19th.

9 comments:

  1. Hi, just wanted to notify that "turn on IPv6" link is broken.
  2. RE “just ACLs”, your emailer should check our vArmour. Very slick. DPI App aware microseg and visibility. New version of NSX (6.4) apparently also dabbles at this.
    Replies
    1. There's another difference between NSX and vArmour - only one of them has publicly available documentation... which is also the reason I'm not even considering writing about the other one.
  3. > Having a tightly focused ACL in front of every server is infinitely (admittedly for some small value of infinity) more manageable than having a 10.000 line ACL sitting on your core router.

    This is arguable: maintaining 1-line ACLs on 10K machines is actually much harder than one 20K ACLs on single box, simply because now it's a distributed system problem. The "one-giant-box" approach is much more manageable, but at the same time way more fragile due to the huge blast radius (usually you see this manifested in 1+1 active/backup schemas)

    I've seen interesting spiral turns where people first split monolithic (1+1) systems into shards, citing smaller blast radius, to later come back to monolith, this time saying how much easier it is to manage. And then again. Dialectical stages, lol.
    Replies
    1. Totally agree with that. What I should have written is "understanding a tightly focused ACL is infinitely simpler than understanding a conglomerate of 10.000 entries in a firewall rule with no history attached to them" ;)
  4. If we put Cisco ACI for example into same equation, they use EPG as Container. So in such case if we put all web servers of a single client within same WEB EPG , and someone been able to exploit web vulnerability, the blast radius for servers within EPG remain same. It's just that DB EPG will not be impacted, but guess what " The attack was meant for web servers only " :)

    The other problem to be solved now is - how do we maintain the policy consistency across DCs
    Replies
    1. Cisco ACI does have segmentation within EPG, but it's somewhat intricate to set up. You'll find more details in Cisco ACI Virtualization guide (or this webinar: http://www.ipspace.net/VMware_NSX,_Cisco_ACI_or_Standard-Based_EVPN)
  5. I agree Sir, It's just that most ACI clients I know didn't implement it. Or if they suggest it in CVD.
Add comment
Sidebar