Prevent lateral compromise with micro-segmentation
It’s an unfortunate reality of information security: Eventually, everyone gets compromised. Manufacturers, banks, tech support companies, retail giants, power plants, municipal governments … these are just some of the sectors that have been affected by high-profile data breaches in recent months. Everyone gets hacked. You will, too.
This isn’t a cause for despair. It simply means that effective security has to focus on more than just intrusion prevention. Hackers will eventually get into any network, if they’re willing to spend enough time and money doing so. But whether or not they get anything useful once they’ve gained entry—that’s another story.
Good network design can minimize the damage incurred during an attack. There are more ways to approach this than will fit in a single article, so this blog will only focus on network segmentation, and its smaller sibling, micro-segmentation.
What is network segmentation?
Network segmentation is the practice of dividing a network into one or more subsections. Each subsection usually contains different kinds of resources and has different policies about who has access to that segment. There are a variety of ways to accomplish the division.
Network segmentation runs along a spectrum from the purely physical to the purely logical. The most basic form of segmentation is simple physical layer separation. Each network that you want to separate from one another is wired up physically independently of one another.
You can also segment a network by creating virtual networks, such as VLANs or VXLANs. VLANs and VXLANs simulate separate physical networks without actually having to alter the underlying hardware, though the physical switches typically participate in some fashion. (This is truer for VLANs than VXLANs, as VXLANs regularly operate as overlays.)
Subnets are a purely logical form of network segmentation. Multiple subnets can exist on a physical layer segment, or virtual networks such as a VLAN or VXLAN. Regardless of how networks are segmented, in order for traffic from one segment to reach another segment, all traffic has to pass through a layer 3 device, such as a router, or layer 3 switch.
This sort of segmentation provides little inherent security. It breaks up broadcast domains, which prevents certain kinds of attacks, but network segmentation is typically deployed with some form of routing (the aforementioned layer 3 device) between segments, which ultimately allows connectivity.
A compromised workload can be easily configured to listen to all broadcast traffic on its segment, and determine which subnets exist within that segment. That compromised workload could then be configured with IP addresses for each subnet that it can see, giving it access to those subnets without having to transit the router.
Poorly designed and/or administered virtual networks can allow similar attacks. Switches (and/or virtual switches) can be configured to allow workloads to communicate using a trunk protocol, which would allow them to register for any VLAN they chose. Similarly, where switches use tagged ports for workloads, but aren’t protected against double tagging, a compromised workload could participate in any VLAN it chose.
Any port on any switch can be mirrored, thus allowing all traffic on that port to be passively observed. Many switches can be configured to mirror only certain data flows, offering the same passive observation capability with a greater signal-to-noise ratio. Individual switch ports, whether physical or virtual, can also have ACLs applied to them. This allows for simple, stateless traffic control.
Assuming that everything is configured correctly, however, network segmentation does offer an opportunity to implement network security because it forces all traffic entering or exiting a segment to pass through a layer 3 device. Traffic passing through a layer 3 device can be actively manipulated in multiple ways.
Layer three routing allows packets to be routed through multiple security products before being sent on to their destination. These products can include advanced threat protection, unified threat management, stateful (layer 4) firewalls, and application (layer 7) firewalls.
Chain routing packets through these devices isn’t strictly necessary; in certain circumstances it is possible to use traffic mirroring and network ACLs to accomplish many of the same tasks. Chain routing data in and out of network segments is, however, the more common approach. Passive scanning combined with automated ACL generation requires integration between the security product and the switching layer, and this significantly limits an organization’s options due to the poor state of integration among industry vendors’ offerings.
Using the natural bottleneck at a segment’s edge (where packets must transit a layer 3 device in order to interact with another segment) allows network administrators the ability to deploy powerful and highly capable network security products; however, this approach does have its own drawbacks. Stateful network security is computationally expensive when compared to simple stateless ACLs. Each device performing stateful inspection will have throughput limits, and getting security devices or software capable of doing security at wire speed brings financial considerations to the forefront.
Regardless of the type of segmentation used, segmentation doesn’t scale well unless you either have remarkably static networks, or some automation to help. There’s a limit to how many change requests per day network administrators can reasonably accommodate, and network administrators already have a reputation as being the “department of no.” In many organizations this has led to the adoption of public cloud computing—often as a shadow IT exercise—and only further reinforces the importance of automation, especially once network segmentation and the implementation of network security products are factored into modern network design.
Why network segmentation?
In modern networks, the goal of network segmentation is security. The larger the number of workloads, devices, and endpoints that can communicate directly with one another, the greater the chance that a single compromise event can spread laterally to become a contagion.
If everything on your network can talk to everything else, with no barriers in between, then the first person to open the wrong email, or visit a website with a malicious advertisement, risks deleting your entire business. Even if you manage to catch the compromise before something horrible like a wormable ransomware event occurs, an intelligent attacker could parlay that single malware beachhead into something even worse.
Not every device on a network can be secured. Internet of Things (IoT) devices and printers are notorious for being difficult to secure. Workloads and endpoints are always in various states of patching, and even fully patched systems have vulnerabilities.
If an attacker can get onto a network through any vector—from brute force external attack to a carefully crafted phishing email—they can quickly scan a network to identify vulnerable workloads, devices, and endpoints. When no network security between segments is implemented, it becomes a trivial activity for the attacker to scan (and attack) not only systems in their own segment, but also systems in other segments. Furthermore, without adequate segment edge defenses, network administrators have very little visibility into this activity.
Network segmentation helps mitigate the spread of lateral compromise by providing natural chokepoints between segments where data flows can be inspected, analyzed, and blocked. Most importantly, because all data in and out of a network segment must pass through a layer 3 device, this offers the opportunity to perform security tasks using tools that are independent from potentially compromised workloads, as well as independent from one another.
Security in the network
Any workload or device can become compromised. Once compromised, the security capabilities built into that workload or device can no longer be trusted.
For example, it doesn’t make sense to trust that just because the firewall on a Windows PC says it’s blocking all outbound traffic from that PC to a given IP address, that it’s actually doing so. It would be far more secure to rely on a separate device to enforce this. This is where security within the network itself comes into play.
Broadly speaking, there are two categories of network security: stateful and stateless. Stateless network security is very simple, but also very low-impact. Access control lists (ACLs) are a great example of stateless security.
Using ACLs, network administrators could craft a rule that says, “This PC is only allowed to communicate with these IPs,” or, “This PC is only allowed to send outbound traffic on these ports.” ACLs can be applied to individual workloads or devices. They can also be applied to entire subnets, virtual networks, or physical network segments. They’re a powerful tool, but also something of a blunt instrument at the same time.
Stateful network security—which is found in stateful firewalls, IPSes, and other traditionally dedicated security tools—is more discriminating. Stateful network security tools inspect data flows in detail, including tracking the lifecycle of a connection.
Clearly, performing information security tasks in the network is a critical capability. Security in the network allows threats to be detected and eliminated without relying on security that exists on compromised endpoints and devices. It’s also important because it allows multiple independent devices to participate in information security either sequentially or in parallel (depending on the type of tasks being performed).
This brings us to micro-segmentation.
Microsegmentation can be thought of as “next level” network segmentation. Pretty much the only thing that the IT industry universally agrees upon regarding the term “micro-segmentation” is that the ultimate goal of micro-segmentation is to move enforcement of network security closer to the endpoint. How this is actually accomplished depends entirely upon who you talk to.
There are three categories of approaches toward micro-segmentation today. The first is firewall orchestration. Firewall orchestration vendors are attempting to move the enforcement of network security closer to the endpoint by adding an agent to workloads or devices that allows the host’s native firewalls to be orchestrated by a central management product.
The goal behind firewall orchestration-based micro-segmentation is to offer organizations the ability to add fine-grained network controls at the individual workload level without having to make any modifications to their networks. Many organizations have large, flat networks with little to no segmentation, and this approach seems attractive on the surface.
Unfortunately, there are many devices on any given network that cannot be orchestrated in this fashion. Printers and other IoT devices remain vulnerable in a firewall orchestration-based micro-segmentation approach. In addition, this approach relies on trusting the native firewalls of compromised workloads. As discussed earlier, this is problematic.
The most popular current approach to micro-segmentation is ACL orchestration. ACLs are efficient and powerful, but this approach also has its drawbacks. In order to apply this technique all the way down to the workload level in virtualized or containerized environments, you must be able to implement controls at the virtual switch level.
The virtual switch is controlled by the hypervisor, micro-visor and/or cloud provider level, and not all of them allow third parties the necessary level of control. It’s possible to work around this by hairpinning traffic through a virtual machine or container designed to provide the appropriate controls; however, this reduces efficiency.
The third approach to micro-segmentation is to wrap a network segment around individual applications, forcing all traffic in and out of that application’s network segment through a router, where the traffic can be steered through various network security products. This approach to micro-segmentation is resource-intensive, especially when compared to ACL orchestration.
This approach to micro-segmentation is most common with highly distributed microservices-based applications. An “application” in this sense is usually more than an application such as you might find on your phone or laptop. Here, an application refers to an enterprise-class application that’s broken down into multiple microservices. Hundreds of individual workloads, each performing a specific task, may be required to make up what, to an end user, appears to be one single application.
Microsegmentation that relies entirely on segment edge inspection typically relies on VXLANs to provide the network segmentation. Unlike classic VLANs, VXLANs can support millions of virtual networks. In this configuration, traffic inspection is typically implemented using network functions virtualization (NFV): small, virtualized implementations of information security products (such as IDS and UTM). This stands in contrast to the large physical appliances traditionally used at the corporate network edge, or where physical network segmentation is the dominant approach.
Each of these three approaches to micro-segmentation has flaws when used in isolation. When combined, however, they provide the most capable approach to security in the network currently known.
Microsegmentation is an increasingly important security measure, because there has been a trend in cybercrime toward multi-stage attacks with longer dwell time. Once an attacker gets access to a network, they seldom take obvious action right away. Instead, they try to remain undetected and engage in lateral movement. Microsegmentation reduces the number of devices that can be easily accessed from the compromised device. At the same time, inserting NFVs can make it more likely that these efforts will be detected before they can spread wider.
Modern networks are large and distributed. They can consist of thousands of devices, and regularly incorporate dozens of physical locations. Workloads and devices may be located on-premises, in the public cloud, as well as within various colocation, hosting, or edge datacenters. Today’s multicloud networks offer organizations many advantages; however, these advantages cannot be fully realized in a secure fashion without abandoning the idea of networks with few segments, and defenses concentrated at the network’s edge.
It’s unlikely that an enterprise will ever have a single networking provider in the future. Even if they were to single source their physical on-premises networking equipment, there’s more to the modern network than routers or switches. Hypervisors, micro-visors, and clouds have virtual switches.
Next-generation applications increasingly communicate using message queues and service buses. These are yet more layers of communication that need to be inspected, and yet another group of vendors and protocol standards that need to play nice with one another.
As network security enforcement moves closer to the individual workloads and endpoints, an increasing number of components have to work together.
This becomes increasingly difficult with scale, and it makes micro-segmentation in any form impossible to implement without automation. This is why open networking matters. Open standards, open hardware, and open source combine to make critical network security advances, like micro-segmentation, viable. Not only for today, but for whatever tomorrow brings.