The below article uses the analogy to the Corona virus to make a statement for microsegmentation and how it can help to limit or even stop lateral movement.
What's nice about the article is that it gets basic things right:
- limit lateral movement...
- ... with the use of a whitelist policy...
- ... to get rid of the eggshell computing or networking model (hard shell, soft center)
I have a couple of comments regarding the use of firewalls and ACLS that is mentioned in the article. First of all, firewalls assume a north-south traffic model, they are not made to limit east west traffic of thousands of devices. As a consequence, traffic needs to be steered and this is a huge burden to network architecture and operations. It makes the task hard and close to impossible to achieve.
Secondly, if you use the traditional networking model you will end up in a situation that is usually all or nothing. A complete rearchitecture of your entire network to fit a policy model, often bundled with hardware upgrades. Over all of your network and rarely only where it is worth it, i.e. high value applications that impose a huge risk to your organisation.
A third problem that comes to mind is this: how would i know where i put those rules in and where my application flows are actually flowing to. In theory microsegmentation is easy, in practice, you will be lost without a live application dependency map of all the applications in your network.
The author also talks about distributed applications and introduces another risk for protecting modern, distributed, geographically diverse applications with the traditional firewall based approach. To do things right, you need a set of firewalls in the right place, that have a set of policies applied across all of those devices worldwide. Another reason why many people fail with traditional segmentation and microsegmentation approaches.
The answer to all of those challenges is to decouple your segmentation from your network architecture to work and apply a single policy model over:
- all devices
- all environments
- all infrastructures
It is understandable you might not have implemented microsegmentation if you have a massive, sprawling network with decades of technical debt. But from an information security perspective, nobody should be deploying any new networks today without microsegmentation. Microsegmentation is no longer some niche, emerging feature. It should be considered a fundamental capability for both networking agility and information security today.