No one likes to admit it but most of what has passed for IT security in the enterprise has historically been rudimentary at best. Most organizations physically segmented their networks behind a series of firewalls deployed at the edge of the network. The trouble is that once malware gets past the firewall it could move laterally almost anywhere in the data center.
With the rise of network virtualization, a new approach to microsegmenting networks is now possible. The new approach involves using microsegmenting to prevent malware from laterally generating East-West traffic across the data center. Instead of a physical instance of a firewall, there is now a virtual instance of a firewall that is simpler to provision and update.
Krish Subramanian, senior marketing manager for cloud and data center security at Check Point Software, said that as IT organizations begin to embrace network virtualization they are starting to employ a more granular approach to protecting assets attached to those networks by only allowing certain classes and types of traffic to move between, for example, a database and web server. Should any of those microsegments become infected with malware, it becomes virtually impossible for those assets on that virtual network to infect anything other than a limited number of isolated applications and systems.
“You see a lot more tiers of applications inside the data center today,” Subramanian said. “Malware can be hiding in a data center for months before it starts to generate any East-West traffic.”
As cybercriminals become more adept at stealing credentials that enable them to bypass firewalls deployed at the edge of the network, IT organizations are discovering they can’t do much to prevent malware that comes from a trusted endpoint being passed back to their data centers. But employing microsegmentation via a layer of network virtualization software does serve to limit the number of additional applications and systems that can be infected.
The challenge many organizations need to contend with is finding a way to unify the management of all those virtual firewalls. In some instances that may mean standardizing on a specific firewall. In other cases, it may require deploying a firewall management framework capable of supporting virtual firewalls from multiple vendors.
As a provider of one of those frameworks, Tufin CEO Ruvi Kitov said that approach allows IT organization to employ firewalls from different vendors as they see fit. “They need to be able to apply a consistent set of policies across firewalls running on premise and in the cloud,” Kitov said.
East-West traffic moving through a data center generally serves as a good indication of an anomaly that bears further investigation. In effect, network virtualization makes it a lot simpler for IT organizations to prevent that traffic from being generated in the first place by employing a network architecture that is fundamentally more secure than legacy approaches to networking.
In fact, VMware estimates that more than one-third of the deployments of VMware NSX network virtualization software are being driven by the need for better security. VMware is also working to encrypt much of that East-West traffic.