While I liked reading the Where to Stick the Firewall blog post by Peter Welcher, it bothered me a bit that he used microsegmentation to mean security groups.
The way it was initially defined3, microsegmentation is the ability to protect every individual endpoint, which means a packet filter in front of every VM, container, or end-user device. You get that level of protection in most cloud environments, with VMware NSX Distributed Firewall, or with Cisco ACI (to some extent4).
The packet filters in front of the endpoints could be stateless (Cisco ACI5), stateful (AWS or Azure security groups), or have some deep packet inspection capabilities (VMware NSX).
Then we have Security groups or security tags. They could be just a convenient configuration mechanisms (in most cases) or data-plane markers (Cisco ACI) that simplify packet filters6… but they are nothing more than another application of RFC 1925 Rule 6. Regardless of PowerPoint-promised magic and dancing unicorns, the traffic filtering rules using object tags or sets of objects have to be transformed into the usual 5-tuple packet filters (modulo optimizations like object groups). There’s no other way to do it at reasonable speed.
Finally, while Matthias Luft somewhat disagrees with me, I think the microsegmentation packet filter should be outside of the protected endpoint to prevent root exploits from disabling it.
- I mentioned microsegmentation in Virtual Firewalls webinar and dived deep into IPv6-related details in IPv6 Microsegmentation
- I compared VMware’s and Cisco’s implementation of microsegmentation in VMware NSX, Cisco ACI or Standard-Based EVPN webinar.
- You’ll find Cisco ACI implementation details in Cisco ACI Deep Dive and NSX implementation details in VMware NSX Technical Deep Dive
- AWS Security Groups and Azure Network Security Groups are described in Amazon Web Services Networking and Microsoft Azure Networking webinars.
It’s been neatly polished during the New Year break ↩︎
IIRC: by VMware at the NSX launch ↩︎
Cisco ACI has a problem with virtual endpoints on VMware ESXi as they cannot control the VMware virtual switch. I have no idea how the Application Virtual Switch SNAFU ended; the usual workarounds are run virtual switch in a VM or run private VLANs. Oh, the beauties of fixing suboptimal architecture with complex kludges. ↩︎
Per-session 5-tuples needed to implement stateful packet filters cannot fit into any reasonably sized TCAM – another wonderful side effect of insisting on using the wrong hammer for the job. ↩︎