Skip to content

Page205

Micro-segmentation

Micro-segmentation describes the process of filtering between all systems, whether physical or cloud-based: “Micro-segmentation is a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually. With micro-segmentation, system administrators can create policies that limit network traffic between workloads based on a Zero Trust approach. Organizations use micro-segmentation to reduce the network attack surface, improve breach containment and strengthen regulatory compliance” (https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation).

Micro-segmentation is a core Zero Trust (previously discussed in Chapter 4, Domain 3: Security Architecture and Engineering) concept, and uses technologies such as Software-Defined Networking (SDN), Software-Defined Wide Area Network (SD-WAN), and Virtual eXtensible Local Area Network (VXLAN), discussed next.

Software-Defined Networks

Through virtualization and cloud services, storage and compute are increasingly decoupled from the traditional server and disk-dense datacenter. Software-Defined Networking (SDN) seeks a similar paradigm shift in organizations’ approach to networking. A helpful oversimplification can be to think of SDN as an approach to virtualize networking and decouple networking from the hardware typically employed for this purpose.

Software-Defined Networking (SDN) separates a router’s control plane from the data (forwarding) plane. The control plane makes routing decisions. The data plane forwards data (packets) through the router. With SDN routing decisions are made remotely, instead of on each individual router.

One of the goals of SDN is to allow micro-segmentation: nimble and customizable networking capabilities. A hallmark of SDN is the potential for achieving this flexibility using inexpensive “white-box” networking hardware and open protocols rather than traditional proprietary hardware, firmware, and software. Another common goal with SDN is to accommodate dynamic instantiation of networking capabilities rules as they become needed within the infrastructure.

The most well-known protocol in this space is OpenFlow, which can, among other capabilities, allow for control of switching rules to be designated or updated at a central controller. OpenFlow is a TCP protocol that uses TLS encryption.