2019 02-20 micro-segmentation based network security strategies (yoni geva)
Download as PPTX, PDF4 likes2,507 views
The document discusses micro-segmentation strategies, highlighting their benefits in enhancing security by controlling east-west traffic within networks. It addresses challenges such as defining zoning, implementing necessary hardware changes, and maintaining updated filtering policies. The importance of documentation for applications and connectivity requirements is emphasized to enable effective segmentation management.
2019 02-20 micro-segmentation based network security strategies (yoni geva)
- 1. Micro-Segmentation Strategies The benefits, challenges and how to get it done Yoni Geva Product Manager
- 2. WELCOME Have a question? Submit it via the chat tab or email us: This webinar is being recorded! The recording will be emailed to you after the webinar And the slides will be available in the Attachments tab Follow us online ! 2 marketing@algosec.com
- 3. POLL #1: What are your plans for building a micro- segmentation strategy? • Already in place • Planning to implement this year • Planning to implement over the next 2 years 3 • No plans Please vote using the “Votes“ tab
- 5. AGENDA: MICRO-SEGMENTATION Background & today’s risks Why Micro-segmentation is part of the answer The challenges you may face Building, implementing and maintaining a Micro-segmentation strategy 01 02 03 04
- 6. THE BASICS
- 7. LEGACY DATA CENTER ARCHITECTURE Users Servers Outside World, Business partners Perimeter Firewall East-West traffic North-South traffic
- 8. • No filtering capabilities controlling east-west traffic • Allows unrestricted traffic • Between internal users’ desktop/laptops and servers • Between servers in different segments ONCE ATTACKERS GAIN A FOOTHOLD – FREE LATERAL MOVEMENT WHY THIS IS RISKY
- 9. SEGMENTED DATA CENTER ARCHITECTURE Users Zone Server Zone 2 Outside World, Business partners, Perimeter Firewall Server Zone 1 East-West traffic North-South traffic
- 10. • Introduce filtering choke-points between zones • Allows control of east-west traffic • Lets organizations restrict lateral movement between zones • How can we make this a reality? SEGMENTED MORE SECURE
- 12. CHALLENGE #1: INTRODUCING CHOKE POINTS A major effort involving: • Hardware • Cabling • Reconfigure switching and routing • Firewall configuration TRADITIONAL DATA CENTER • Built-in firewalls as part of the infrastructure • No extra hardware needed VIRTUALIZED NETWORK / SDN
- 13. CHALLENGE #2: ZONING DEFINITION • How many zones to define? • Which subnets should reside in each zone?
- 14. Better Security Micro-segmentation Define many small zones Maintenance - Define the right policy N zones N*N traffic directions A ZONING TRADE-OFF
- 15. CHALLENGE #3: FILTERING POLICY BETWEEN ZONES Did you know? VMware NSX’s default policy is “allow all” • Traffic between zones must be explicitly allowed by policy • No critical business traffic will be blocked by accident • Challenge: discover and characterize this traffic
- 19. MICRO-SEGMENTATION IS GETTING COMPLICATED
- 21. MICRO-SEGMENTATION FLOW Security Management Sensitive Assts Processes Running Applications Zoning FW Openings
- 22. THE BUSINESS-APPLICATION PERSPECTIVE • East-West traffic is generated by business applications • Each business application has: • Servers supporting it • Clients accessing it • Business application connectivity requirements: • Server-to-server traffic flows • Client-to-server traffic flows
- 23. § SEGMENTATION FOR BUSINESS APPLICATIONS Human-accessible Systems Application Servers Infrastructure Servers
- 24. POLL #2: Do you have Application Documentation? YES! Application Servers and Flows No Partial I don’t know 01 02 03 04 Please vote using the “Votes“ tab
- 25. IS YOUR ORGANIZATION DISCIPLINED? Yes if: • All applications are documented • Applications’ connectivity requirements are documented • Documentation is machine readable Then “discovery” is easy! What if documentation is missing / outdated ?
- 26. DISCOVERY FROM TRAFFIC NetFlow / sFlow • Routers • VMWare virtual switch • NetFlow statistics broker Full capture traffic • Switches • Network TAP devices • Packet broker Summarize Analyze Correlate
- 28. 28 28
- 29. 29 29
- 31. 31
- 32. ASSETS/PROCESSES/USERS - PERSPECTIVE • Define your most sensitive assets • Identify processes and relationships between units in the company • Identify user requirements: which data is required by each user
- 33. DOCUMENT THE CONNECTIVITY MATRIX
- 34. 34 34
- 35. MAINTAINING THE SEGMENTATION • Application connectivity requirements evolve • Filtering policies need to change over time • Application-aware and change V management processes • Visibility filtering policies comply with zoning Zoning remains stable over time, however:
- 36. CHANGE MANAGEMENT PROCESSES GOAL: SINGLE CHANGE WORKFLOW FOR ALL FILTERING TECHNOLOGIES
- 37. 37
- 38. 38
- 39. 39
- 40. MICRO-SEGMENTATION SUMMARY Security Management Sensitive Assts Processes Running Applications Zoning FW Openings
- 41. REMEMBER: Focusing your security on external threats is not enough
- 42. WHITEPAPER SOLUTION BROCHURE PROF. WOOL VIDEO COURSE https://www.algosec.com/resources PPT
- 43. Q & A Submit your questions via the chat Request a Demo: marketing@algosec.com
- 44. 44 JOIN OUR COMMUNITY Follow us for the latest on security policy management trends, tips & tricks, best practices, thought leadership, fun stuff, prizes and much more! Subscribe to our YouTube channel for a wide range of educational videos presented by Professor Wool youtube.com/user/AlgoSeclinkedin.com/company/AlgoSec facebook.com/AlgoSec twitter.com/AlgoSec www.AlgoSec.com/blog
- 45. ALGOSUMMIT THE PREMIER EVENT FOR ALGOSEC CUSTOMERS AND CHANNEL PARTNERS 45 AlgoSummit APAC Bangkok April 1-5 2019 www.algosec.com/algosummit AlgoSummit EMEA Lisbon May 20-23
- 46. THANK YOU! Questions can be emailed to marketing@algosec.com
Editor's Notes
- #5: 3 years ago, four men managed to break into Hatton Garden, a Safe Deposit Company in London. They manage to steal almost 200M£ by Drilling through 50 cm of a concrete wall Once they made it in - there was no security inside
- #7: Let us start with the basics
- #8: Example of a legacy data center : In gray: Data center’s components In blue: Perimeter FW AND the outside world (Internet / other businesses) Terminology: 1. North-South traffic – in and out of the data center 2. East-West (the lateral movement) – internal traffic between servers and between servers and users This legacy setup is risky.
- #9: Why is it risky? No filtering east-west traffic unrestricted traffic is allowed between internal users servers servers servers Like in the Hatton Garden case
- #10: Improve security: Internal filtering points (FW and filtering devices) Creating several zones: separated from each other
- #11: Segmented Secure Choke Points between east-west traffic ….. How can we make this a reality?
- #12: As with almost anything in life, It’s not that simple….. let’s discuss why….
- #14: How to define zones? How many Definition (Subnet, IP-Range) Policy between Zones
- #15: trade-off for micro-segments : Data center security High maintenance (complexity)
- #16: Our last challenge: Risk: Blocking critical applications Challenge: Discover and characterize this traffic BTW: Did you know: VMware NSX’s default policy is “allow all” – works BUT insecure
- #18: Amazon Example: Managing the operation of the warehouse gets complicated Bring Automation Moving Robots Fully automated warehouse
- #19: Let the employees focus of the important stuff
- #20: Bring back to it security
- #23: Business application perspective: East-West traffic: Business applications Servers Clients Listen to the traffic and Communications require FW openings. Zoning definitions
- #24: Some best practices, without discovery Human-accessible systems | separate zone from servers Desktops / Laptops / Smartphones Servers belonging to 1 application in same zone Infrastructure servers (of multiple applications) in a dedicated zone
- #26: If we have a documentation of the Application Use it for the segmentation No documentation We will need to listen to the network
- #27: Discovery technologies: Listen to the network NetFlow / sFlow Full capture Create Business Application
- #28: With AlgoSec BusinessFlow you can start this process using a dedicated discovery tool that will automate the steps mentioned.
- #33: What are the theoretical needs Define your most sensitive assets Identify processes in the company Identify user requirements (servers, data)
- #34: Zones definition: Subnets, IP-Ranges Policy between zones
- #36: Applications are changing FW openings need updates Change management system Visibility capabilities (routing, filtering)
- #37: Due to the complexity is the system Single change management system
- #38: With AlgoSec FireFlow the change management process is very simple: Identical for North-South and East-West Indifferent to network technology Firewall-vendor agnostic
- #39: Outside data center (traditional) Inside data center (virtualized) (NSX)
- #40: In this topology view we can easily see the highlighted firewalls that require changes And, with a click of the button I can implement the required changes in these firewalls It’s simple and keeps you secure
- #41: Let’s recap what we just discussed since we just reviewed the best practices for implementing a micro-segmentation strategy effectively
- #43: AlgoSec has a full line up of resources in our website, we welcome you to learn more about our offering by reading The network security policy management lifecycle whitepaper Our datasheet on how to simplify and accelerate large-scale application migration projects In addition to the Prof. Wool Video course on how to mange dynamic objects in Cloud environments
- #44: Now, let’s open up the floor for some Q & A questions. Seed question 1: If I have a hybrid infrastructure and I would like to have a micro-segmentation strategy – can AlgoSec’s platform support it? Seed question 2: Is there a way to tell if as part of the segmentation process we missed some applications – or over time new applications were added or removed. Answer – yes… for example in the vmware nsx screen we saw…. Seed question 3: I don’t have any documentation of the applications running in my network, I have 2 vendors and no way of knowing for sure what is running? Answer – you really need to get the discovery done right, for the first phase you need a good auto-discovery solution and then, the next step would be to make sure that the solution, such as AlgoSec’s is connected to all your devices
- #45: We welcome you to connect with us through our social networks in LinkedIn, Facebook, Twitter and our blog.
- #46: And, before we part – AlgoSummit and Upcoming webinar