In Part 1 of “Software Defined Networking (SDN) for IT Leaders”, micro-segmentation was described as one of the most popular use-cases for SDN. With the increased focus on security, due to growing number of brand-damaging cyber attacks, micro-segmentation provides a way to easily and cost-effectively firewall each application, preventing attackers from gaining easy access across your data center once they penetrate the perimeter defense.
This article describes how to get started with micro-segmentation. Micro-segmentation is a great place to start for SDN because you don’t need to make any changes to the existing physical network, i.e. it is a layer of protection that sits on top of the existing network. You can also approach micro-segmentation incrementally, i.e. protect a few critical applications at a time and avoid boiling the ocean. It’s a straightforward to dip your toe into SDN.
5 Simple Steps to Get Started:
- Identify the top 10 critical apps. These applications may contain confidential information, may need to be regulatory compliant, or they may be mission critical to the business.
- Identify the location of these apps in the data center. For example, what are the VM names or are the app servers all connect to the same virtual switch.
- Create a security group for each app. You can also define generic groups like “all web servers” and setup firewall rules such as no communication between web servers.
- Using SDN, define a firewall rule for each security group that allows any-to-any traffic. The purpose of this rule is to trigger logging of all network traffic to observe the normal patterns of activity. At this point, we are not restricting any network communications.
- Inspect the logs and define the security policy. The amount of time that needs to elapse before inspecting the logs is application dependent. Some applications will expose all their various network connections within 24 hours. Other applications, like financial apps, may only expose specific system integration during end-of-quarter processing. Once you identify the normal network traffic patterns, you can update the any-to-any firewall rule to only allow legitimate connections.
Once you have completed these 5 steps, repeat them for the next 10 most critical apps, incrementally working your way through the data center.
In Part 3 for Software Defined Networking for IT Leaders, we will discuss the other popular starting point or use case: automating network provisioning to improve time-to-market and reduce costs.
Reg Lo is the Director of VMware Accelerate Advisory Services and is based in San Diego, CA. You can connect with him on LinkedIn.