JNT Visual - Fotolia
When Umpqua Bank, a commercial bank with 400 branches, decided to move several hosted services in-house earlier this year, the IT team turned to VMware NSX and micro-segmentation as a security strategy.
Umpqua's security department performed an enterprise risk analysis and concluded that micro-segmentation would help cut the risk of reduced application integrity, said Sam Guidice, manager of infrastructure systems and technology shared services.
In network virtualization, engineers use micro-segmentation to separate and isolate virtual machines (VMs) and even workloads from one another in order to prevent adjacent attacks. It is an alternative to perimeter-based data center network security that allows for distinct policy to be applied to specific VMs and network segments.
Guidice describes the concept of micro-segmentation as being similar to a tic-tac-toe board -- or even Hollywood Squares. With regard to virtual machines, it's "three across, three down, and the same thing -- three up," he said. "They all sit in their own little box."
In an NSX environment, he continued, each one of those boxes is an entity among itself.
"So in our case, unless we explicitly allow any networking ports in or out of that little square, it is its own island, happy as a clam -- nothing can see in and nothing can see out. So basically, in a nutshell, you're segmenting that VM into its own little bubble, and then you control what comes in and comes out."
This approach also prevents lateral attacks between multiple VMs.
"If one of the virtual machines got compromised, the attack vector to the other virtual machines is greatly reduced," Guidice said. "With NSX and micro-segmentation, there's no way out of the box that it's in, except for the specific pinholes you've opened up to the other specific VMs or network paths."
Guidice and his team looked at how much it would cost to place traditional physical firewalling on their virtual network segments. "That got to quickly be -- as we were whiteboarding -- pretty overwhelming," he said. "There were lots of posts, lots of rules, lots of everything."
Members of Guidice's infrastructure systems team were familiar with VMware vCloud Networking and Security (vCNS), and Guidice said they decided to look at that as an alternative to a traditional stack of firewalls. VCNS, a software-defined networking and security tool, is part of VMware NSX and provides services including virtual firewall, VPN, load balancing and VXLAN extended networks, in a single platform.
VM islands and application functions
Guidice and his team decided in mid-January to purchase NSX licensing and then began implementing it in mid-February. Within about 12 weeks, the team set up NSX, did testing and then got micro-segmentation up and running.
The bank was already a 97% "virtualized shop," so NSX dovetailed well into its existing infrastructure. "From that perspective, it made it easy to make that decision," he said.
The first step in implementing micro-segmentation was understanding where and how to apply policy.
"With NSX, you can set up different policies," Guidice said. "So if the VM has a tag or is in a certain security group, it can get those attributes. From an ongoing standpoint, it made it much easier."
Guidice said it's crucial to understand how your applications function before moving into NSX. "As we were going into NSX, we were meeting with application engineers as we were doing the install." This was with the intent of fine-tuning how the operation of the application worked, "so when you're building these rules and putting them in place, you know why you're doing these rules and what the outcome is expected to be," he said.
Making the decision of "nothing in and nothing out" from the get-go also made the challenge of implementing NSX and micro-segmentation less daunting. "We knew we were going in strict and rigid, so we were able to manage that conversation of what's talking to each machine," he said.
Umpqua continues to add virtual machines to its infrastructure. As of now, there are 55 VMs, and Guidice said when all is said and done, there will be around 100.