Microsegmentation: One Step Toward a Zero-Trust Network
Placing the perimeters as close as possible to the workloads requires microsegmentation. In this article, I take a high-level look at two approaches to microsegmentation: Palo Alto Networks (using NextGen firewalls) and Cisco’s Application Centric Infrastructure (ACI).
Palo Alto Firewall Approach
Figure 1 shows how NextGen firewalls are used to segment the network for zero trust. In general, when a user/device attempts to connect to the target workload, it passes through a series of firewalls. The firewalls allow or deny access based on user/device characteristics, session characteristics, and the workload targeted. Behind the workloads, additional segments are created to control access to database servers. These firewalls can be physical or virtual.
- Segment both virtual- and hardware-based workloads
- Apply policies based on the applications managed and needed access for those workloads by using zones, dynamic address groups, and App-IDs
- Separate servers into tiers (web server, workload, and database) and inspect traffic between tiers
- Integrate with software-defined solutions like Cisco’s software-defined network (described below)
Cisco Software ACI
Cisco’s approach, the Application Centric Infrastructure (ACI) uses switch technology to control access to workloads, as shown in Figure 2.
Based on VXLAN Technology
First, ACI is a change from the three-tier switch hierarchy previously recommended by Cisco: access, distribution, and core. Instead, the new Spine/Leaf approach provides the underlying infrastructure. Endpoint nodes (user devices and servers) connect to the leaf nodes. The leaf nodes connect to the spine nodes (switches). The only function of the spine nodes is high-speed transport of packets for delivery to leaf nodes. Leaf nodes do not communicate with other leaf nodes.
Network traffic is routed across a layer 3 network overlay that uses UDP to encapsulate packets. This layer is known as a VXLAN (Virtual Extensible LAN). The VXLAN overlay is independent of the underlying infrastructure. For detailed information about VXLANs, see VXLAN Overview: Cisco Nexus 9000 Series Switches.
As with all switches, each leaf node creates a table. The table contains the MAC addresses of the devices connected to the leaf node’s ports. What is different in VXLANs is the sharing of these tables. At an elementary level, the leaf nodes share their tables and associated VXLAN tunnel endpoint (VTEP) information with other leaf node VTEPs.
When a user device, for example, sends an egress packet to the leaf node to which it is connected, the leaf node checks its MAC-to-VTEP table. It then forewords the packet to the appropriate VTEP to which the target node is connected. If the MAC-to-VTEP information is unknown, the packet is flooded so the VTEP can learn the location of the target MAC.
Again, the VXLAN is independent of the underlying infrastructure. It is designed for both physical and virtual environments.
ACI Network Access Policy and Endpoint Groups
An endpoint group (EPG) is a logical set of objects, independent of physical connectivity to the network or location, that need similar policy. For example, users of the HR application might be in one EPG. The HR application servers would be in a second EPG. Finally, the HR database servers would be in a third EPG. EPGs can represent traditional VLANs, IP subnets, or VMware port groups.
Contracts control access between EPGs. They define inbound and outbound permits, denies, QoS, and redirects. A set of contracts and related EPGs for a financial application system, for example, become the application network policy (ANP) for that system.
As shown in Figure 3, ANPs are implemented as one or more contracts between EPGs. Contracts control access to EPGs and subjects within the EPGs. A subject is an application or subapplication. For example, a web server EPG might have contracts applied that determine how, and when HTTPS, HTTP, and FTP are accessed.
- An endpoint node in the user EPG attempts to connect to an application server.
- Because the ingress VTEP knows the destination EPG, policy is applied. If the endpoint is not allowed via contract to access the application server, the traffic is dropped. In our example, the contract allows the connection.
- A VXLAN tunnel is created between the source and destination VTEPs.
- Packets are sent between spine nodes to reach destination VTEP and the target server.
If a user endpoint attempts to connect to a database server, an existing policy denies access. The ingress leaf node drops the traffic.
Conclusion
Microsegmentation is an essential part of zero trust networks. It moves the perimeter to the workloads. Multiple ways exist to achieve microsegmentation.
Palo Alto Networks uses physical and virtual NextGen firewalls to control application traffic. The firewalls are centrally managed.
Cisco’s ACI is the result of evolving software-defined networking technology. It uses switches to implement policies between groups of endpoints and applications within the endpoints.
These solutions are not mutually exclusive. For example, an organization can use the Palo Alto firewall solution to strengthen ACI with additional filtering and management of traffic. This is a good solution when managing high-risk access.
However you achieve microsegmentation, it is an excellent first step toward zero trust.
