Is perimeter defense sufficient for good data center security?
As we know, data center perimeters are typically protected by firewalls and IDS/IPS. While these products are good at handling north-south traffic, in and out of the data center, they are not built for securing east-west traffic within the data center.
This is becoming an issue because east-west traffic can represent 5x more than north-south traffic… due to an increasing number of communicating web, application, and database servers. This means that if a malware penetrates the outer security perimeter, it can launch further attacks inside a vulnerable data center. This has been described by security experts as the “hard outside with a soft, gooey middle”.
Good news: you can apply micro-segmentation to harden the inside too!
Micro-segmentation divides the data center into smaller zones which can be protected separately. This means that in case of a breach, the damage can quickly be contained to a small number of compromised devices.
Reinforce micro-segmentation with Layer 7 visibility
But to be effective, micro-segmentation requires a real-time association between applications and security policies. Therefore, east-west traffic between VMs must be analyzed in real-time, up to the Layer 7 application. Using similar technology to modern firewalls, a classifier function has to identify applications by looking at protocol grammar instead of ports.
The technical approach consists of integrating a Layer 7 classifier inside the hypervisors, to extend vSwitch visibility from Layer 1-4 all the way up to Layer 7. This way, the vSwitch can strengthen access control rules between VMs based on application traffic.
This new L7 application visibility:
Is provided by a Layer 7 classifier integrated in the hypervisor
Analyses east-west traffic between VMs in real-time, up to Layer 7 application
Has no significant impact on performance
Enables real-time association between applications and security policies
Conclusion
Now you can harden your data center security using micro-segmentation combined with real-time application awareness!