Network Microsegmentation Could be the Software Defined Answer to Security
According to a recent study by Emerson, cybercrime is the fastest growing cause of data center outages. To stay ahead of increasingly sophisticated attacks, infrastructure managers must combine software and hardware tools to constantly monitor, recognize, block, and remediate. Keeping an eye on network traffic is essential to accomplish this, and one developing method of network security control uses microsegmentation to do so.
Network microsegmentation is enabled by software-defined data center technology like VMware NSX. It gives network administrators new abilities to shape network traffic based on global policy, increasing security by crafting security policies around specific network segments or virtual machines.
Designing Microsegmentation Security Rules
Using the NSX firewall features, you can create a security group around any vCenter object: virtual machines, vNICs, or even vApps. These groups can allow traffic between any other allowed objects, or only allow outside traffic to specific object. For example, you can allow traffic between virtual network cards on a production application server and your company’s web server.
In order to take advantage of microsegmentation, you first need to have a solid grasp on your infrastructure’s network traffic, both from within and outside the data center. Using network scanning tools, map out workloads with overlapping network traits like the same subnet.
Design your microsegmentation security rules based on the descriptions you come with while mapping. For every virtual machine and/or virtual data center component like a vNIC, consider:
- What type of workload is this? Web server, application server, or database?
- Is this a production server, testing, or development?
- What kind of data is stored? Are there any compliance requirements? Is there any sensitive information?
- Who will access the information and from where?
Workloads can now dynamically inherit specific security rules based on their categorization. These policies are applied when a VM is turned on or migrated and turned off when it is powered down. This saves network administrators time as they don’t need to reconfigure firewall rules with every VM. NSX policies can use the VM name, virtual network assignment, operating system, or many other VM settings in order to assign security rules.
The rules themselves are not necessarily tied to NSX and VMware tools like the built in ESXi firewall. Your existing vendor products can also be integrated with security tags so they can share their own information across an entire ecosystem. If you have Trend Micro cloud security, for example, your security rule can turn on strict anti-malware that isolates a VM from all network traffic when an infection is detected by Trend Micro’s IDS.
Network microsegmentation is a great solution for managing secure network traffic within your virtualized datacenter, to isolate multiple networks depending on their data security requirements, and for simplifying complex access policies, such as when dealing with virtual desktop administration.