VMware extends NSX micro-segmentation to AppDefense

NSX micro-segmentation basics

Multiple applications comprise a service, and all of them need to communicate to function. A basic web server service is a classic example. This service might have four workloads: a load balancer, a web front end, an unstructured file storage server and a structured database storage server.

These workloads need to communicate among themselves to provide web services, but other services only need to interact with the web server service on ports 80 and 443. All other communication attempts are suspect.

The workloads that participate in a service aren't necessarily geographically close. It's entirely possible to have a service wherein workloads exist on all sites, including the cloud. It's equally possible for a service to consist of multiple applications that all operate within the same VM or to combine these methods in different ways.

Networking and firewalls are the two primary means of segmenting services. Network-based micro-segmentation isolates workloads by using a combination of subnet masks, virtual LANs and virtual extensible LAN network overlays. This prevents communication between services except when transiting a router.

This makes all communication between services easy to monitor by trapping, examining or altering communication at the edge of each network segment. VMware automates this using a network-based method in NSX micro-segmentation.

Firewall-based micro-segmentation typically relies on the use of an OS agent to control the firewalls of hosts and guest workloads. A firewall automation orchestration service tracks every firewall under management and configures rules to allow, block or manipulate traffic between the various OSes it controls.

Micro-segmentation has practical limits

Network-based micro-segmentation achieves workload isolation by creating innumerable network edges and by applying edge-based network security at each edge.

With network-based micro-segmentation, services can't communicate with other services without transiting a router, which makes those data flows open to inspection. This complicates networks and orients the default security stance to restricting all communications unless it is explicitly allowed.

Firewall-based micro-segmentation uses firewalls to isolate networks, but typically operates on large, flat networks with few edges. These networks are far simpler to create and manage. It is also easier to orient the default security stance for these networks so that everything can communicate with everything else unless they are explicitly secured.

If you use network-based micro-segmentation to attach an IoT device to a network, it can't communicate with anything because it locks away all the services in their own segments. Similarly, a compromised workload can't infect all the IoT devices on your network because the communication of that workload beyond its own segment is restricted at the router.

If you use firewall-based micro-segmentation to attach an IoT device to a network, it should not allow that device to communicate with anything because all the services are locked away in their own network segments. Those workloads will reject attempts to communicate with them at the firewall and log the attempt.

A workload that is sufficiently compromised, however, could disable the micro-segmentation service's agent and change the firewall's rules to allow it to attach unprotected devices to the network.

Hyper-segmentation is the way forward

Beyond micro-segmentation lies process segmentation. The most popular means to segment processes are containers and VMs. A VM runs an application on a dedicated OS, which effectively isolates that application from other applications. Containers isolate individual processes, which enables the installation of multiple applications on a single OS while still maintaining isolation.

The next generation of process-focused security technologies is emerging, and VMware NSX micro-segmentation is leading the way. These future services won't only use process isolation; they'll also perform automatic process baselining to prevent future compromises by observing deviations in process behavior.

Increasingly, behavioral analytics can integrate with configuration management services to learn the desired status of a task's configuration and compare it to that task's running configuration. VMware's AppDefense is a great example of a process-focused security service.

When you combine all of the security technologies above, you establish hyper-segmentation. Whereas micro-segmentation isolates IT services from one another, hyper-segmentation applies isolation within services all the way down to the process level.

Whereas micro-segmentation isolates IT services from one another, hyper-segmentation applies isolation within services all the way down to the process level.

Micro-segmentation defends a service by controlling what applications that service can communicate with and by examining communications to and from that service. Hyper-segmentation controls communications between applications within a service, but it also examines those communications for deviations from the established norms down to the level of interprocess communications.

A hyper-segmented service wraps services up in network edges to create a security stance that denies communication by default and enables the inspection of inter-service traffic at the network segment's edge. Firewall automation defends and examines communication between applications within a service. Process isolation and in-guest agents defend and examine individual processes within an application. This results in the most robust IT security stance possible.

Currently, VMware is the only vendor that is even close to offering a complete hyper-segmentation service. NSX micro-segmentation combined with AppDefense provides something akin to hyper-segmentation. By combining services, VMware offers a technology suite that is more than the sum of its parts and points to the future of network security.