Segmentation and Security – in Cloud and Software Defined Network (SDN)
The cloud is here to stay. The benefits in terms of cost and flexibility are evident and allow organizations of all sizes to be faster, more flexible, and reach their customers more optimally.
However, this does not mean that all current infrastructure is going to be thrown away and replaced by cloud environments. An extended period of coexistence awaits us, at different levels of the weight of one option over the other, which will force us to manage and administer hybrid networks.
One of the main obstacles when adopting “the cloud” is security. We have become accustomed to the necessary security levels in our current infrastructure (call them Data center), and we need to transfer these security levels to the new cloud infrastructure. Also, as we are going to live with both realities, we need to safely interconnect both worlds to be able to use current resources quickly and effectively with the new possibilities offered by the cloud. As if this is not enough, we also find projects to improve our existing infrastructure and networks, to make them more flexible and provide them with the capabilities of the cloud, but on-premise. They are environments called SDN (Software Defined Network)
In both cases, we find a paradigm shift about what security professionals used to work. We no longer talk about sub nets and zones, but about security and micro segmentation groups, all revolving around applications and services.
The agility provided by the new networks can constrain by the time needed to analyze and implement the latest security policies, which makes automation key.
But how do we implement necessary security measures in new environments? Let’s go by parts.
Public Cloud Environments
If we refer to the primary public cloud environments, let’s talk about Amazon Web Services, Microsoft Azure, Google Cloud, etc., we find that they all have basic security features. Call Security Groups, Network Security Groups, or similar, allow you to group “networks” of machines by applying common access management policies.
It applies to specific elements that we can distribute in our “clouds” and that work in a similar way to what a router with access control lists (ACLs) would be. They are called perimeter gateways and allow us to separate networks and manage inbound/outbound flows (in some cases, only incoming) based on tags assigned to Security Groups. This provides us with underlying security, which can be complemented by distributing the specific virtual equipment that the leading Firewall manufacturers have available for the main public clouds (we can find
specific virtualized versions, for example in the Amazon Web Services Marketplace, Palo Alto, Check Point, Fortinet, Cisco, Sophos, etc.).
It will allow us to complement the security of the devices we were commenting on until we get to match the one we can implement in our Data-center and fact, interconnect them with VPN or similar systems as if a part of our infrastructure were.
Private Cloud Environments
When we talk about private cloud environments or SDN, we find a new and exciting term, Micro-segmentation.
It constitutes a complete paradigm shift. Remember, segmentation is an essential safety technique that allows me to:
· Include control points within the perimeter
· Hinder the spread of malicious code over the network
· Hinder the lateral movement and elevation of privileges of an attacker
· Isolate critical segments of the system
· Reduce service exposure
· Facilitate compliance with some regulations (PCI-DSS)
We must take into account the flexibility and adaptation to the needs of the different business areas when segmenting the network.
We can find two main types of traffic segmentation within a network:
• North-South: It is the most traditional form of segmentation. It contains a control point (typically a Firewall) for traffic entering or leaving from a segment of the internal network or the Data center engineer to/from the perimeter.
• East-West: It consists of filtering traffic between different elements of the same network segment that has already isolated from North-South traffic.
East-West traffic segmentation – is introduced by this new paradigm, Micro-segmentation.
Although the principle existed through VLAN technology and has also used by Network Access Control systems, Micro-segmentation has included in the heart of new generation networks using SDN technologies.
With Micro-segmentation, we can apply East-West filtering policies at the virtual switch/router level, segmenting traffic at the application and protocol flow level while simplifying and reducing traffic.
As in the case of the Public Cloud, the natural filtering systems of the different SDN technologies give us the necessary capabilities up to Level 3, which we can complement with the corresponding virtualized technologies of the leading manufacturers of Firewalls that integrated into these environments. In some cases, they are even able to integrate with the provisioning consoles of the SDN solutions to automate the deployment of Fortinet Firewalls with the new networks generated and with predefined filtering policies that increase Micro-segmentation capabilities by taking them to the next level.
As we can see, we can reach a level of security similar to that of our Data-center infrastructures in new environments, and even higher, in the case of Micro-segmentation, which opens up new possibilities for filtering and applying security and isolation policies, as well as interconnection between the different “flavors” of clouds that we will find along the way.