Review: Zoning by means of microsegmentation
On 5.12.2017, 15 ICT representatives from industry, banks, insurance companies and the federal administration deepened the highly topical subject of microsegmentation together with our atrete consultants. The event, which was moderated by Michael Kaufmann, focused on the following questions:
- Do I still need a zone concept with Microsegmentation?
- Does Microsegmentation give me more flexibility or does it make everything more complicated?
- Is Microsegmentation already market-ready?
Adrian Schmidlin introduced the topic in an exciting introductory presentation. He made it clear that a zone concept is the basis on which the requirements for microsegmentation can be discussed for implementation. By means of microsegmentation, protection can be increased by fine-granular segmentation and control. The resulting increased complexity can be reduced by standardization and automation (SDx and centralized controllers). He further summarized that microsegmentation goes hand in hand with network virtualization and that zone formation is largely decoupled from the network topology.
The next presentation by Mario Homberger and Stefan Müller showed the available models for the implementation of microsegmentation. The models range from full integration into hypervisor management, a combination with virtual 3rd party firewalls, to agent-based solutions. Which model is the right one for the respective application depends very much on the requirements and the environment. Models are often also used in a mixed form. A few solutions were also presented, including Cisco ACI, Palo Alto VM-Series, Checkpoint, Illumio and the solution of the start-up company ShieldX with its cloud-native solution.
The participants then discussed the topic at three tables based on given questions. During this table discussion, which was moderated by the speakers, interesting statements on organisation, technology, safety and operation were developed. The participants were in complete agreement on the following points:
(a) safety must be increased
b) The future organisation must move closer together
(c) Automation should be sought in order to reduce the operating costs for the higher complexity under
Finally, the introductory questions were answered in the presentation by Manuel Zoro:
1. do I still need a zone concept with microsegmentation?
A superordinate zone concept for specifications and placements is still needed. However, this should provide for "instantiation" of zones/microsegments (i.e. a larger number). Classical network zones are currently still needed for systems outside the DC (e.g. clients)
2. does microsegmentation give me more flexibility or does it make everything more complicated?
Yes and no, but using EPG/SG can significantly reduce the maintenance effort. A "full extension" with classical methods of rule administration is hardly manageable. A limited use of a fine-grained rule set to a few individual zones or systems helps to reduce complexity.
3. is microsegmentation already marketable?
Currently, early adopters have successfully implemented such microsegmentation solutions. However, an overall solution usually involves the integration of several systems and, if necessary, process integration via API, which greatly increases the complexity. Experience in highly complex environments is still limited. For a selective or specific application we can recommend Microsegmentation. This topic should definitely be included in the next revision of the network zoning concept.
For more information, please visit www.atrete.ch.
Email: email@example.com | Tel: +41 44 266 55 55