Microsegmentation Terminology

While I liked reading the Where to Stick the Firewall blog post by Peter Welcher, it bothered me a bit that he used microsegmentation to mean security groups.

I know that microsegmentation became approximately as well-defined as cloud or SDN1, but let’s aim our shiny lance 2 at the nearest windmill and gallop away…

The way it was initially defined3, microsegmentation is the ability to protect every individual endpoint, which means a packet filter in front of every VM, container, or end-user device. You get that level of protection in most cloud environments, with VMware NSX Distributed Firewall, or with Cisco ACI (to some extent4).

The packet filters in front of the endpoints could be stateless (Cisco ACI5), stateful (AWS or Azure security groups), or have some deep packet inspection capabilities (VMware NSX).

Then we have Security groups or security tags. They could be just a convenient configuration mechanisms (in most cases) or data-plane markers (Cisco ACI) that simplify packet filters6… but they are nothing more than another application of RFC 1925 Rule 6. Regardless of PowerPoint-promised magic and dancing unicorns, the traffic filtering rules using object tags or sets of objects have to be transformed into the usual 5-tuple packet filters (modulo optimizations like object groups). There’s no other way to do it at reasonable speed.

Finally, while Matthias Luft somewhat disagrees with me, I think the microsegmentation packet filter should be outside of the protected endpoint to prevent root exploits from disabling it.

More Details

  1. Gartner claims to have an official definition, but it’s behind a paywall so whatever. ↩︎

  2. It’s been neatly polished during the New Year break ↩︎

  3. IIRC: by VMware at the NSX launch ↩︎

  4. Cisco ACI has a problem with virtual endpoints on VMware ESXi as they cannot control the VMware virtual switch. I have no idea how the Application Virtual Switch SNAFU ended; the usual workarounds are run virtual switch in a VM or run private VLANs. Oh, the beauties of fixing suboptimal architecture with complex kludges. ↩︎

  5. Per-session 5-tuples needed to implement stateful packet filters cannot fit into any reasonably sized TCAM – another wonderful side effect of insisting on using the wrong hammer for the job. ↩︎

  6. See Scaling the Cloud Security Groups for more details. ↩︎


  1. In addition, even when we look at how inter-pod or intra-pod kubernetes containers apply filtering - it's a plugin to kubernetes itself. From there policies are applied outside of the actual container at the cluster plugin level... again using arbitrary tags.. or ip addresses which make much less sense in a mutable infrastructure.

    Aside from this, I believe aws uses geneve with their newer gateway load balancer.. taking advantage of the variable length object field in the geneve packet to segment traffic based on vpc or any other aws object id's. This of course pushed nfv vendors to support geneve so they can still be cloud relevant.

    Very interesting.. how far we have extended the functionality of a basic firewall - from a packet filter to stateful, to l7 ids/ips and now to use variable length arbitrary tagging with millions of tenants or tunnels.

Add comment