Is microsegmentation a solution for Data Center security?
This solution article has now been superseeded by the VMware NSX architecture design that supports the use firewalls and as well as load balancers. For scalable design, we should consider using the virtualized design or approach as we can deploy as many virtual firewalls based on our security or technical requirements. Based on a hierarchical model where Layer 3 terminates at the Aggregation layer, thus, it also optimizes traffic flow between multiple networks as the Layer 3 traffic does not necessarily require to traverse from virtual to physical appliances.
Network security products such as Firewalls, IPS, VRFs and VLANs has long been existed and best practice on non-virtualized LAN networks. With the compute environment using Virtualization, it is difficult controlling or filtering east-west traffic, thus requires assets in a different VLANs and traversing traffic towards the Core switches. This may also result to implement new firewall rules, IP subnets, routing or default gateways. It could be potentially unmanageable at certain point of time.
These physical security appliances, VRFs, VLANs, including use of NAT, anti-malware, or unified threat management services have they own role to play on such as internet edge, non-virtualized network or others.
Deploying micro segmentation on a virtualized data center can isolate production to development, enable compliance-bound applications and application groups, built policies based on the end goal and filter traffic up to Layer 4 for granular enhancement of application traffic.
Here are some questions could assist deciding micro segmentation solution on your data center.
- Who is your hypervisor vendor(s) of choice?
- What operating systems are in use for your workloads?
- How will you address security for your non-virtualized hosts?
- What type of enforcement do you desire (Layer 4, Layer 7)?
- How will you gain east-west application telemetry?
- How will you define these policies (intent)?
- Where is your trust boundary?
- Is the system a platform? Does it offer additional security benefits?
- How will you integrate with application and cloud automation systems in use?
- What is your long-term cloud strategy?
- How will you use this solution to help enable your DevOps environment?
REFERENCE LINK –