posted

0 Comments

Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst
Greg Young
was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.

As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation?

But there is a problem with the reach of segmentation based on network. If traffic does not cross the firewall, you are blind. All hosts in the same network, commonly the same VLAN, can abuse each other at will. Perhaps netflow or IPS sensors are throughout your network – just to catch some of this internal network free-for-all. And the DMZ? I like to think of all these networks as blast-areas, where any one compromise could potentially take everything else on the same network down.

It’s not really network segmentation that’s all the rage today. Network segmentation’s more precise cousin, micro-segmentation is what has everyone’s interest. The daily parade of network breaches heightens interest not only in breach detection, but also more proactive measures to control access inside the north-south perimeter. In this landscape – micro-segmentation is appealing.

One can always take regular enterprise firewalls and use them more granularly. Layer 2 support is a lesser-used feature on most enterprise firewalls. In theory – some offer such rich, flexible Layer 2 support, they could be used in place of an access switch! Full firewalling capability between physical hosts on the same Layer 2 network, as long as they’re each plugged into their own firewall network port! Of course, we don’t see this often, unless the physical hosts are deemed particularly sensitive. The price differential between an enterprise firewall and an access switch is prohibitive enough to make it infeasible, save for particularly high-value physical host targets.

Layer 2 firewalling is interesting, in that those devices are not enforcing policy on a network boundary. Layer 2 enforcement offers the potential to be more specific. We’ve seen folks try to add filtering capabilities to network switches – but there’s only so much to be done when the hardware was specifically design for other features. The first time I thought I discovered a platform for a distributed firewall, I was so disappointed on many counts: when I realized the switch’s memory-specific caps would limit the size of filter lists to the point of being almost useless (under 20 entries); stateless; and ingress only. I am paranoid and like to limit my exposure!

Sure, one could deploy the operating system firewall, and wrap up all end hosts tight. Don’t tell anyone, but the first thing I turn off on all the workloads in my learning lab are the host firewalls. I always forget they’re there! I’m typically trying to learn some new tool or technology, and the best way for me to learn is to break stuff. I have spent countless hours troubleshooting – when it was just the host firewall trying to do its thing. It is usually after a few rounds, when I’ve cleared all the other issues, that I run into the host firewall issue. I know I should turn them back on, but management is usually another issue for me. I’m used to going to my firewall console to control traffic flows. Maybe I’m just not an endpoint security person, since the endpoint firewall is the first thing to escape my mind. I just assume they are not trustworthy anyways – they are in the OS! Is that not one of the first thing bad guys would turn off, along with AV?

Now that you know my feelings about distributed firewalling, stay tuned for Part 2 where I dig into the nuts and bolts of deploying the NSX distributed firewall to support micro-segmentation.