Cisco Switzerland Technology Blog

The demand for more security in the DC comes with challenges

Friday, 21 July 2017

Segmenting the data center into secure zones is a common way to protect your data and applications. From a security point of view, it is desirable to have small zones with a limited amount of applications in it. But granular zoning is a scalability challenge for security management processes. Today those processes are centered around the Firewall in the Data Center, which leads to the question whether this approach becomes a bottleneck and if yes, what can be done to address it.

New terms are used these days, to describe methods for the future of security in the data center. Zero trust model, microsegmentation, east-west traffic, white list approach, policy based model are concepts I am going to touch on in this blog. Let’s first agree on the starting position.

The risk of being attacked and the impact of an attack, can be reduced by:

  • Limiting the impact of a breach or malware in the data center by reducing the attack surface.
  • Protecting the back end from the exposed front end of tiered and modular applications.
  • Extend or replicate the security zones in existing infrastructures into new private or public cloud infrastructures.

Another requirement coming up is the need of DevOps organizations to dynamically change the status of SW from dev to test to prod.

Today, the two common mechanisms for security in the Data Center are: Zoning and Firewalls

  1. Network zones: Servers belong into a certain security zone and can communicate to all other servers in the same zone.
  2. Firewalls: Communication with applications and users outside of this zone traverses a Firewall.

So far so good but what if we want to increase the level of protection?

Smaller zones keep servers and applications apart from each other and hence reduce the attack surface should one be compromised. So for the ideal protection, every application has a fence around it and with that, is in its own security zone.

No uncontrolled communication takes place anymore and its therefore called zero trust model. This actually eliminates todays concepts of zoning with multiple servers and applications in it and is also referred to as micro segmentation.

Small security zones and micro segmentation can be used in parallel but they both increases the challenge we already have with the firewall being the bottleneck in the data center.

What are the challenges with increasing the number of zones in the data center?

First: The vast number of rules

Security zones today often separate applications of different internal divisions, separate business services and SW life-cycle status like development, test and production.

Communication from such zones to destinations outside of the Data Center i.e. to users, is referred to as north-south traffic. Doubling the number of security zones also increases the number of Firewall rules required and the challenge of keeping track of all of them over time.

Because applications are architected in a modular way most of the traffic takes place between those modules and so remains to a large extend within a zone. This east-west traffic is estimated to be around 80% of all traffic within a Data Center. And exactly this today uncontrolled communication, is the reason why we want to introduce smaller zones. Up to a zone per application, up to micro segmentation.

And here comes the first challenge, segmenting to reduce uncontrolled east-west traffic, increases the number of rules exponentially. Because every zone can have multiple communication peers and specific communication requires multiple specific rules.

Second: Dynamic implementation of zones

Because of the scale, the implementation of zones in the infrastructure can no longer be done by pre-provisioning ports, VLAN’s, IP-Subnets and Firewalls. It has to be highly dynamic and therefore truly automated in order to scale.

Dynamically provision and decommission security zones, end to end, is a capability which is not available in most of the existing infrastructure services today.

Third: The communication behavior of applications

The allocation of applications into security zones and the definition of the corresponding rules requires a good understanding of the application and its communication relationships. IT-Infrastructure teams often do not have the necessary details about the application and application owners don’t necessarily know how their applications communicate.

In larger organizations, it is a challenge to maintain a reliable and fast communication process between infrastructure, security and the large number of application owners and developer teams.

In summary, there is a limit with increasing the number zones in the data center

Because an increasing number of Firewall rules needs to be created and managed over time.

Because the dynamic deployment of zones in the infrastructure is often not available yet.

Because a sophisticated process is required to allocate applications to the correct zone and to define the corresponding security rules.

This is what makes it difficult for IT-Organisations to adopt a zero trust model and to make us use of micro segmentation.

What do you think? Have I missed a point?

In the next blog about this topic, I am going to propose a building block approach to address this challenges.

Leave a comment