Micro-Segmentation, the right way.

It doesn’t have to hurt.

By Lior Neudorfer, GuardiCore Reveal Product Manager

Last week we attended the Check Point CPX2016 conference in Chicago. We talked to a lot of interesting people including network administrators, security team members & CISOs, each one with his or her own story and pain points. We’ve had fascinating conversations, about floating data centers, securing law firm applications and the usual woes of developers on security teams (and the other way around).

But what we kept hearing was:

“We want to better secure our infrastructure by defining tight security policies — but where do we even start? How can we build policies at the application level for thousands of existing machines, each one developed and deployed by a different person? We have no idea what’s going on!”

Micro-segmentation has been a rising trend in the last few years. Security teams have come to realize that VLAN separation and the likes are no longer enough: every machine, virtual or physical, must be limited to allow the minimal necessary incoming and outgoing traffic. Loose, over-permissive policies might be detected and exploited by attackers and enable them to move undetected between machines.

Frameworks like VMware NSX and Cisco ACI facilitate micro-segmentation across physical and virtual data centers, by doing distributed enforcement on all east-west traffic. Public cloud offerings also provide micro-segmentation abilities in the form of AWS security groups, Azure NSGs, Oracle’s OPC Security Lists or Google Cloud firewall rules. Finally, products such as Check Point vSEC fully integrate with these frameworks, moving existing firewall technologies into the data center.

So the technology is there, but the question remains — how do you actually set these policies up? How can administrators tell the role of thousands of machines in their data center and decide which specific ports to open to what other machines?

A few months ago, we introduced Reveal™ as an integrated part of our flagship solution, GuardiCore Centra™, in order to tackle the basic problem of lack of visibility to east-west traffic inside data centers. Extending Reveal to assist teams with building tight security policies was only natural.

This is how the usual process for building application-specific policies works:

  1. Discover a specific application and the machines it’s running on
  2. Build security groups for each of the different application tiers (i.e. web/application/logging/DB servers)
  3. Define a tight policy between the different security groups, so that only the ports necessary for the application’s proper functioning are open
  4. Rinse and repeat…

But without deep visibility into data centers, all the way down to the process level, this can be a long and painful process, in which administrators and security teams browse endless logs or chase app developers.

A (tiny bit of a) typical firewall log. How easy is it to build a security policy using these?

Reveal helps teams avoid this pain.

Reveal provides a full visual map of the entire data center, all the way down to the process level. By using Reveal to focus on specific parts of the data center and identify relations between different servers, admins and security teams can now easily discover the running applications, one by one.

A typical 3-tiered application. Note the process information which shows the underlying Tomcat->MongoDB traffic.

Process-level visibility allows users to identify servers with similar roles (which belong to the same tier), group them together, and push the resulting security groups to a micro-segmentation framework such as VMWare NSX and the like.

The same application — grouped.

Once the users create policy rules tying the discovered applications and security groups, they can see these policies overlaid on Reveal’s visual map. This allows users to test, monitor and optimize their created policies.

Take a look at how it all works:

Using Reveal for micro-segmentation in a VMWare NSX+Check Point vSEC environment

We’re excited that micro-segmentation is finally happening, as we believe that it’s an essential building block for data center security. Along with real-time breach detection, provided by the GuardiCore Centra™ platform, data centers can now enjoy first class protection.

I’ll be glad to hear more about your journey into data center security. 
Leave a comment, or drop me an email at lior@guardicore.com.

Originally published at www.guardicore.com on May 26, 2016.