Application Note Zentera Systems CoIP Platform CoIP Defense-in-Depth with Advanced Segmentation Advanced Segmentation is Essential for Defense-in-Depth There is no silver bullet in security a single solution is not enough. Hence, defense-in-depth is a key requirement for overall enterprise security. As a result, enterprises are deploying multiple layers of security, including application isolation, network segmentation, and application filtering. In addition, with the widespread adoption of virtualization and the emergence of SDN and the cloud, server-to-server communication is proliferating and multi-tenancy is becoming commonplace. Advanced attacks nowadays can take over a server as a zero-day attack station and then penetrate other neighbors. Conventional perimeter firewalls are now less effective, since they cannot prevent lateral attacks between servers inside a datacenter. To effectively block such attacks, organizations now have to implement advanced segmentation as part of defense-in-depth. This application note outlines current security considerations for enterprise datacenters anticipating deploying in the cloud. The next section describes how Zentera s CoIP (Cloud over IP ) Platform provides advanced segmentation and defense-in-depth to address those considerations. Finally, the closing section demonstrates how to deploy advanced segmentation and defense-in-depth using CoIP. Security Considerations for Cloud Readiness East-West Traffic Typically, organizations have implemented perimeter security technologies such as firewalls, IPS/IDS, routers, and other security devices that are placed in different security zones trusted, untrusted, and DMZ. The goal is to analyze and manage traffic flow in and out of the datacenter. This approach is not well-suited for analyzing server-to-sever communication within the datacenter (also known as east-west communication). Figure 1 depicts a typical security deployment.
Figure 1: A conventional security deployment The growing use of the application-tier model, which typically consists of web, application, and database servers, is resulting in increased east-west traffic that can surpass north-south traffic. Additionally, advanced threats, like man-in-the-middle attacks, are appearing deep inside the datacenter. Therefore, a new security solution is needed to protect east-west traffic and address advanced threats. Micro-Segmentation Virtualization is causing compute and security to converge inside the datacenter, in addition to hypervisors that provide micro-segmentation. Micro-segmentation is a security design technique in which the datacenter is divided into smaller, more protected security zones. In micro-segmentation, datacenter security services are provisioned at the perimeter, between application tiers (or zones), and even between devices within tiers. The idea is that if one device or service is compromised, the impact will be contained within a smaller fault domain. Micro-segmentation is efficient, quick to deploy, and fast to manage with newer security devices. However, implementing micro-segmentation using conventional firewalls is difficult, since firewalls do not provide a unified security fabric a key requirement to be what is referred to as cloud-ready. Figure 2 depicts a typical micro-segmentation. 2 Zentera Systems All Rights Reserved 2Q2017
Figure 2: Example of a micro-segmentation configuration Application Whitelists In addition, the whitelist security model is garnering attention due to the growing complexity of applications and network environments. In this model, security services specify applications that are permitted to access the network, and everything else is denied. This solution requires tight integration between applications and network services, and that integration is lacking in typical datacenter deployments today. CoIP Provides Defense-in-Depth CoIP is an on-demand virtual overlay network that provides deeply integrated defense-in-depth capabilities network isolation, network encryption, micro-segmentation, and application whitelisting. The platform is transport and cloud-agnostic, and can be deployed rapidly without interfering with existing infrastructure or security measures. Key Components CoIP consists of the following components: a centralized controller (zcenter) with deployment automation; CoIP LAN and WAN; and endpoint sensors for virtual machines (VMs), containers, and compute endpoints. APIs are provided to integration partners including industry-leading security 3 Zentera Systems All Rights Reserved 2Q2017
providers to extend their offerings (ex. IPS/IDS solutions) to clouds such as AWS, Azure, and Google Cloud. Figure 3 illustrates a conceptual multicloud CoIP deployment. Figure 3: Multicloud CoIP deployment Defense-in-Depth with CoIP The CoIP platform provides a layered approach to security that is designed to ensure defense-in-depth. CoIP operates at L5 (the session layer in the ISO network model), so it uses but does not interfere with the existing network and security infrastructure. CoIP offers traffic isolation via overlay network enclaves, or isolated network islands, that can span across datacenters or clouds. For more information about CoIP enclaves, see the Zentera CoIP Platform Traffic Isolation Application note. In addition to overlay enclaves, CoIP offers an overlay SSL tunnel that provides end-to-end network encryption within and across datacenters and clouds. CoIP also provides a chamber firewall that operates at L4 (the transport layer) and provides a filtering function. With CoIP chamber firewalls, all policies are created and maintained in a centralized controller, and are enforced on distributed endpoints for better performance and scalability. Advanced segmentation is a special form of micro-segmentation where segmentation can span across multiple public or private clouds as well as datacenters. Figure 4 shows an example of advanced segmentation with CoIP. Finally, CoIP offers application interlock or whitelist as an L7 (application layer) filtering function. The idea of application interlock is that only whitelisted and enterprise-certified applications running on a CoIP endpoint are allowed to use the CoIP network for communication. This is powerful because unauthorized applications are prevented from accessing networking resources. Alert and notification messages are generated in response to security violations. 4 Zentera Systems All Rights Reserved 2Q2017
Figure 4: An example of how CoIP can implement advanced segmentation Deploying Defense-in-Depth and Advanced Segmentation Using CoIP The CoIP controller is designed to manage multicloud deployments. It can be located in the enterprise datacenter or any private or public cloud (Azure, AWS, etc.). Network Encryption and Application Interlock Deployment Scenario The following deployment scenario shows a customer enclave that spans across an enterprise datacenter and AWS. The enclave is managed by the CoIP controller. The AWS server group (SG0), hosts two compute resources (aws1 and aws2) whereas the enterprise server group (SG1), hosts one (ent1). The SG0 and SG1 server groups are connected via an encrypted CoIP WAN link. AWS servers that are running mission-critical applications are protected by a stateful firewall chamber. The AWS servers are running RedHat and the enterprise VMs are running Linux CentOS. The deployment scenario is depicted in Figure 5. 5 Zentera Systems All Rights Reserved 2Q2017
Figure 5: Network encryption and application interlock deployment scenario Network Encryption By default, traffic over a CoIP WAN link is encrypted. Each endpoint connects to the CoIP controller for control plane traffic and establishes a TLS 1.2 connection to a Zentera Network Switch (ZNS) for data traffic. A ZNS is an L5 switch used in CoIP WAN deployment. Figure 6 illustrates end-to-end CoIP WAN network encryption, where two TLS 1.2 tunnels are used between two endpoints and the ZNS Figure 6: End-to-end network encryption using CoIP Network Encryption Verification The enterprise Server (ent1) sends packets to the AWS Server (aws1). Packet capture on aws1 shows TLS 1.2 connection established to ZNS (184.105.144.91) as it receives packets from ent1. Step Description 1 Turn on packet logging on aws1 2 Ping aws1 from Enterprise Server (ent1) 3 Packets from ent1 seen over TLS Application Interlock Configuration Step Description 1 Enable application interlock 2 Create whitelist rules 6 Zentera Systems All Rights Reserved 2Q2017
Step 1: Application Interlock is enabled by setting the Security Monitor Interval as follows: Step 2: Application whitelist rules are created for AWS servers to SSH to enterprise VM SSH whitelisted in AWS SSHD whitelisted in Enterprise Application Interlock Verification AWS compute VM can SSH to the enterprise server Telnet access is not permitted since it is not a whitelisted application The whitelisting rules shown above will not allow SSH from the enterprise to AWS. The CoIP controller logs application interlock traffic (permitted and blocked) between endpoints. 7 Zentera Systems All Rights Reserved 2Q2017
Micro-Segmentation Deployment Scenario This micro-segmentation deployment scenario includes two server groups (SG1, SG2) and three VMs in AWS (aws1, aws2, aws3). The SG1 servers are protected by a stateful firewall chamber. Communication within SG0 servers is based on server group settings. Traffic traversing the firewall boundary follow rules set for the chamber. Granular control of traffic flow is defined using TCP, UDP and IP ports. Chamber traffic control is supported both at the physical and CoIP levels. Micro-Segmentation Configuration Step Description 1 Add chamber 2 Create security policy Step 1: Micro-segmentation is enabled using a chamber at the server group level. 8 Zentera Systems All Rights Reserved 2Q2017
Step 2: Chamber security policy is created using port level unidirectional compute flows. This rule allows TCP port 22 traffic from SG2 (aws3) to SG1 (aws1 and aws2). Traffic using any other port from SG2 to SG1 is implicitly denied. Micro-Segmentation Verification With the security policy setting shown in micro-segmentation configuration Step 2, aws3 can SSH to aws1 (TCP 22 allowed from SG2 to SG1) SSH in the reverse direction (from aws1 to aws3) is not permitted. Security Policy rule added to allow TCP 22 from SG1 to SG2, now aws1 can SSH to aws2 as shown below. 9 Zentera Systems All Rights Reserved 2Q2017
Chamber functionality is also supported at the physical level. 10 Zentera Systems All Rights Reserved 2Q2017