Have you heard about microsegmentation? Odds are good you’ve heard enough about it in the past couple of years that you’ve had to add the word to your spell checker. It’s a concept that has been pushed quite hard in the security space as well as the networking space. The idea that you can keep devices or virtual constructs from communicating with each other without the need to have an intervening firewall is huge for organizations looking to move into hybrid cloud or for the kinds of places that have a huge amount of east-west traffic.
Microsegementation isn’t easy to figure out though. You have to have a lot of knowledge in how flows work in order to identify the kind of communications you want to highlight and the ones you want to restrict. You also need to be able to restrict the flows where it makes the most sense. For an organization like VMware that is using VMware NSX as the intermediary layer for all networking between virtual machines (VMs) it’s easy to stop flows at the source when you own the entire networking stack. But what happens when you’re trying to apply this idea to physical machines that don’t have a virtual networking setup?
Guardicore
I got a chance to talk with Dave Burton of Guardicore last week about problems like this. Guardicore is a company that didn’t start out in microsegmentation. Originally, they looked into the Deception-oriented security market. They were building an advanced IDS/IPS for detecting rogue elements by laying traps that would get triggered and then alert the right people to look into things. However, that market is slow to evolve and Guardicore found something that addressed issues that organizations had today: microsegmentation.
Guardicore addresses the gaps in microsegmentation by installing an agent on the target machine. In a world where people want security running invisibly on devices without the need to touch the endpoint, why would an agent make sense? One reason is because the Guardicore agent allows their solution to have full visibility all the way up to layer 7 of the OSI model. Instead of just stopping at the port and protocol level, Guardicore can see into the application and determine how the flows are interacting with each other and with other systems. That gives a much better picture of how to ensure flows are isolated.
The Guardicore model allows security teams to build policies based on the observed flows at a very granular level. With the complex way that modern applications interact with each other, it’s very important to have total visibility. That visibility allows policies to be crafted that provide enhanced security. The Guardicore model also ensures that the host agent can intercept non-permitted flows to prevent them from reaching their destination or being transmitted in the first place. But rather than just relying on something like Windows Firewall or IPTables, which can only operate at a lower layer of the model, Guardicore has their own kernel firewall which can inspect all traffic. That gives them a huge advantage to recognize traffic flows that use non-standard ports or application traffic that you want to separate, like blocking Facebook for example.
But none of this really matters if you can create a policy and make it a set of rules. Guardicore also shines here by having a policy engine that is tightly coupled with the vulnerability map. You can see how systems are behaving and identify flows easily. Then all you need to do is pass that information to the policy engine and Guardicore takes care of the rest. Your rulesets are pushed down to the endpoints and flows are segmented. Quick, easy, and very effective.
Bringing It All Together
Guardicore has done a great job of recognizing a need for security teams. By getting out in front of microsegmentation they’ve hit a growing market with the need for solutions like the ones that Guardicore has developed. Microsegmentation is still in the Awareness phase of growth. People need to understand the power of how it can shape their security profile and secure their applications. The idea of granular control isn’t one that comes naturally to all traffic coming from a host. Thankfully, companies like Guardicore have made the solutions easy enough that most administrators will be able to figure out what they need to do to increase their security level right away.
