Zero Trust in the Datacenter
Machine to Machine Security
How Machine to Machine security differs from User to Machine
Now that we’ve looked at user to machine security in the datacenter, it’s time to look at machine to machine security (also known as east-west security). The goals of machine to machine security are going to be quite different than user to machine security, and those goals will also depend on what types of applications and uses your data center will have. For most datacenter environments, the primary goal of machine to machine security is to provide a last line of defense in case an intruder has managed to gain a foothold in your organization’s infrastructure. This is not a reason to ignore machine to machine security!
Remember: One of the core parts of the zero trust philosophy is to expect that intrusions will happen or may even be happening right now.
Without machine to machine security, an intruder who gains access or control over a server now has free reign to move laterally to other, more important machines that may contain valuable data and do so undetected (or at least until everything’s encrypted and you’re being asked for Bitcoin). Once we add machine to machine security, moving laterally within the datacenter becomes a much bigger challenge – working around security and avoiding detection takes time and skill, buying you enough time to detect the intrusion before it can be successful. At a lower level, the goal of machine to machine security is to ensure that servers (whether bare metal or virtualized in some way) only ever communicate to other specific servers and only using the ports and protocols needed for application functionality. Anything out of the ordinary should be logged, and some particular traffic types being detected should raise an alert of some variety.
How do we implement Machine to Machine security?
With the importance of machine to machine security now clear, it’s time to discuss how it can be implemented. Before any purchases of hardware or software are made, planning and design work is key. Machine to machine security is complex, no way around it, and planning is key to having a successful deployment. The first step is to build a data flow diagram – map out what machines should talk to what other machines and what ports should be allowed. This will be the primary document used to build the security policy, so do not neglect this at all. Next up is to determine as best as possible what the east-west throughput needs are. Security throughput is expensive and in the context of datacenter traffic flows, is potentially a substantial bottleneck. There are a couple of ways to effectively provide machine to machine security, but to start with, there’s one way this shouldn’t be done, and that’s with traditional security ACLs.
Note: While an ACL is a simple way to better secure things when looking at user to machine security, ACLs in the context of machine to machine security are unwieldy and hard to manage. This leads to either hard to troubleshoot connectivity problems or user error accidentally leaving things open that shouldn’t be.
The preferred tools are either physical or virtual firewalls – central management reduces the possibility of user error and advanced security features mean that more effective filtering, logging, and alerting is available. The easier way to do east-west security is to segment based on server group. In this kind of setup, like servers can communicate with each other directly, but will need to traverse a firewall to communicate with other types of servers. For example, a database server cluster can freely communicate with its other cluster members, but to communicate with a web server, the communications have to pass through a firewall. This kind of segmentation tends to be easier to maintain and have a minimal performance impact (assuming the firewall is sized correctly), since filtering is done on a limited scale and can be centralized in a single pair of security appliances. No host involvement is needed here and device count is low, so small teams can effectively manage datacenter segmentation this way.
Complex datacenters and Machine to Machine security
For those organizations that provide multitenant services or who have the budget and staff to handle a very complex datacenter environment, the best security is provided through microsegmentation – instead of segmenting based on server group and only firewalling communications between groups, microsegmentation is the firewalling of every server from every other server. The benefits are obvious – with every server’s traffic being inspected, the ability to detect and quarantine a compromised server before damage is done is much more robust. This does come at the expense of significant deployment and maintenance complexity, though. On the deployment side, microsegmentation can’t be effectively done with a pair of firewalls in the services leaf. Instead, a host-based system like VMWare NSX, per-host deployments of a virtual firewall like the Palo Alto VM series, or a microsegmentation-oriented networking system like Cisco’s ACI will be needed to ensure security throughput scales with host count. On the management side, some form of automated rule creation is necessary – each VM deployed has its own security rules, and manually adding those rules to each firewall instance every time a new VM is deployed is not a practical thing to do. This means building, testing, and maintaining a scripting infrastructure alongside everything else needed for proper microsegmentation.
On the deployment side: Microsegmentation can’t be effectively done with a pair of firewalls in the services leaf. Instead, a host-based system like VMWare NSX, per-host deployments of a virtual firewall like the Palo Alto VM series, or a microsegmentation-oriented networking system like Cisco’s ACI will be needed to ensure security throughput scales with host count.
On the management side: Some form of automated rule creation is necessary – each VM deployed has its own security rules, and manually adding those rules to each firewall instance every time a new VM is deployed is not a practical thing to do. This means building, testing, and maintaining a scripting infrastructure alongside everything else needed for proper microsegmentation.
Combining the Machine to Machine strategies
Another approach to machine to machine security is to look at a hybrid of both models – high risk servers like internet-facing Web servers are subject to microsegmentation, while other types of applications only have filtering between server groups. This way can tame the potentially extreme complexity of a full microsegmentation environment for applications that aren’t quite as much a security risk while gaining the security advantages for servers that are the most likely to end up compromised.
Zero Trust Philosophy Index
This series in security philosophy will explore the areas of security that need to be addressed in order to make your plan a reality and to discuss specific areas of focus on how to apply a zero trust mindset.
- Datacenter
- Route/switch
- Features that ensure integrity of network operations
- Wireless
- Capabilities for detection and mitigation of RF based attacks
- Endpoint
- Network Access Control (NAC) – Ensuring that endpoint activity is controlled and that security threats are detected and mitigated before an exploit can occur.
- Network Security
- Ensuring that all traffic through the network is controlled and monitored for malicious activity
- Cloud Security
- Ensuring that user to cloud access is controlled and that cloud resources are appropriately provisioned and accounted for.
- The Human Factor
- Ensuring that end users are aware of security issues and responsible for their security choices.