Stop Cyber Threats With Adaptive Micro-Segmentation Jeff Francis Regional Systems Engineer
Who is This Guy, and Why is He Here? Jeff Francis Regional Systems Engineer Northwestern United States Datacenter Network Security Not Users, Protocols, Operating Systems, or Hypervisors How We Got to the Current Mess We re In Microsegmentation: A New Hope Four Use Cases Visibility: You Can t Protect What You Don t Understand 2
A Brief History of Datacenter Security 1969 through early 1990s: Host-Based Security Mid-1990s: Border Firewalls 2000s: Datacenter (E/W) Firewalls 2015-ish: Per-Host Firewalls Reduce the Attack Surface 3
The Move to the Cloud 4
Come on Baby, can you do that Conga? Line of Business Central IT and Security & Risk Central IT DAYS OR WEEKS CHANGE REQUEST MAP NETWORK IMPACTS DETERMINE REQUIRED CHANGES Security & Risk Central IT LONG & DIFFICULT CHANGE CONTROL / APPROVALS IMPLEMENT
Security is Hard Who do you invite to the Security Party? Security Team Networking Team Application Developers 6
The Data Center of Today Internal data center communication aka East / West traffic
All of This, and We Still Haven t Solved the Problem
Let s Start Over 1. Don t make what I already own obsolete. 2. One-stop shopping. 3. Web-based GUI, but also scriptable (API). 4. Leverage native encryption. 5. Write policy in something more intuitive than VLANs, subnets, and zones. 6. Distribute the load. 7. Automatically scale and protect, regardless of provider, hypervisor, or geographical changes. 8. Firewall on a host-by-host basis. 9. Don t make me babysit the solution. 9
Perimeter Security Isn t Enough Today s Security Challenges Problem # 1 Anywhere on Anything Problem # 2 Speed, Agility & DevOps Problem # 3 Surface Area of Attack
Microsegmentation: A New Hope Microsegmentation: Fine-grained security with distributed enforcement. 1. Appliance/Virtual Appliance-based 2. Hypervisor/Switch-based 3. Workload/Host-based 11
Micro-segmentation - Approaches Virtual Appliance Virtualization Infrastructure Workload Enforced in virtual security appliance Enforced in network / virtualization infrastructure Enforced in workload Pro: familiar model Pro: fewer network dependencies Pro: adapts to workload changes 12
Adaptive Micro-Segmentation What It Does X Control Contain
4 Degrees Of Adaptive Micro-Segmentation
Use Case 1: HVA Ringfencing Ringfencing High-Value Applications Everything in the bubble can talk to everything else in the bubble. Network equivalent to moving all servers to a VLAN, then putting that VLAN behind a firewall. Ordering, Prod, Germany => Ordering, Prod, Germany on All Ports Internet => Web Servers, Ordering, Prod, Germany on TCP Ports 80, 443 15
Use Case 2: Environmental Separation Dev and Test resources shouldn t ever touch Prod resources. Period. This happens more than you think. Do a Google search on accidental Wall Street trades. Dev => Dev on All Ports Test => Test on All Ports Prod => Prod on All Ports 16
Use Case 3: Secure App Migration Covers that awkward phase during migration. 100% of traffic and assets covered through all phases of the move. Ordering, Prod => Ordering, Prod on All Ports 17
Use Case 4: Hybrid Infrastructure When the awkward phase is not temporary. Private cloud, bare metal servers, and five different cloud providers (plus containers). Ordering, Prod => Ordering, Prod on All Ports 18
You Can t Secure What You Can t See Understand your applications and risk Model policy with visual feedback before enforcing Check compliance and identify threats
600+ Workloads, 1.2M Flows 20
Turns Into 21
Controlled With Policy 22
Behind Door Number Three 1. Use existing firewalls (IPTables and WFP). 2. Strong central management. 3. Use existing IPSec functionality. 4. Whitelist only. 5. Put a simple agent on each server. 6. Bake the agent into the OS image (or make it trivial to automate the install). 7. Build policy with labels, not network constructs. 23
Illumio Adaptive Security Platform (ASP) Security Delivered in Any Environment WORKLOADS Context & Telemetry Data Center Security Policy Virtual Enforcement Node (VEN) Antenna installed or baked in to image Linux & Windows Policy Compute Engine (PCE) Central Brain Consumed via cloud or on premises
Label-Based Security Policy I need mysql access from my App Tier of my Production instance of my Ordering Application in Germany to the Database Tier of my Production instance of my Ordering Application in Germany rule 42 { action accept log enable source { address 10.1.2.3 } destination { address 10.2.3.4 port 3306 } protocol tcp state { new enable } } App Tier, Ordering, Prod, Germany => Database, Ordering, Prod, Germany on TCP port 3306 25
What Did We Just Do? Vastly simplified policy creation. Total and Complete Traffic Visibility no matter where the workloads live. Policy Follows the Workload, whether VMotion, metal to cloud, or cloud to cloud. No more Security Conga Line new (and existing) systems receive current policy the moment they boot (and immediately as systems scale or move). Attack surface reduction of 97% - >99%. 26
Stop Cyber Threats with Adaptive Micro-Segmentation Contain and stop the spread of threats Reduce friction between teams Container Bare-metal Virtual Machine Eliminate delays in app delivery Secure applications running anywhere on anything Private DC Cloud
Questions?
Thank You