Lesson 7: How to Prepare for Network Segmentation by Identifying the Segment Borders

Prof Wool: Managing Business Application Connectivity | Lesson 7: How to Prepare for Network Segmentation by Identifying the Segment Borders Subscribe

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at

View transcript

hello I'm professor wool and today I'll provide some tips on how to prepare for network segmentation by identifying the segment borders so imagine that you're running a data center in this blue square over here it has various systems inside it it's separated from the outside world by a firewall but internally traffic is unfiltered and you want to introduce micro segmentation to protect pieces inside your data center from each other to become more robust against various attacks so the first thing that you need to do is to identify all the network flows happening inside the data center how would you go about doing that well a good way to do so would be to use a net flow source having it sniff all the traffic internally and provide net flow output to a discovery engine which would then identify the network flows inside the data center and intelligent discovery system can also break up the flows into flows that have logical connections to each other for instance based on shared IP addresses like here and here and then augmenting that information with labels such as object names and the whole application would get a name from additional sources either semi-automated or with human input and you would get a picture like this identifying a trading application relying on three separate flows and traffic inside your data center now you want to decide how to micro segment you want to put another filter here so that some of these components are separated from the others and you need to find out what that is going to do in terms of filtering I mean if you introduced a new filter along this line then all of a sudden some of the flows that cross this boundary need to have explicit rules inside the new network filter to allow the Africa otherwise the trading application will fail so how do you know which rules you need to add to this purple filter that you're preparing well if you look at the flows that came out of the discovery process it's possible to annotate them automatically based on information from the existing firewalls for instance this flow over here we can see is annotated with a green star that means that there is an explicit rule in one of the firewalls over here that permits this traffic therefore this flow is already filtered and you don't necessarily need to add another rule for it when you micro segment however these two other flows are currently unprotected they don't go through any firewall so if you add a new filter you need to consider whether they would be blocked or not in the example that I've sketched here the flow here in the middle crosses the Purple Line and therefore it would need a new rule to be added to the purple filter the point to take away from this description is that if you use your discovery system to identify the flows and combine that with the information coming from the firewalls to recognize which flows are already going through a filter and which are completely unfiltered this can assist you greatly when you decide where to put the boundaries on your new micro segments and which policies you need to put in those newly defined filters thank you for your attention

Videos

Prof Wool: Managing Business Application Connectivity | Lesson 7: How to Prepare for Network Segmentation by Identifying the Segment Borders Subscribe

Related videos

The Benefits of Mapping Firewall Rules to Business...

The Different Data Sources for Application Connectivity...

Tips for Secure Decommissioning of Business Applications

How to Automatically Identify Business Application...