Data Center Security: Micro-Segmentation + Application Visibility = Strong Middle Featured

16 September 2016
(0 votes)

Is perimeter defense sufficient for good data center security?

As we know, data center perimeters are typically protected by firewalls and IDS/IPS. While these products are good at handling north-south traffic, in and out of the data center, they are not built for securing east-west traffic within the data center.

This is becoming an issue because east-west traffic can represent 5x more than north-south traffic… due to an increasing number of communicating web, application, and database servers. This means that if a malware penetrates the outer security perimeter, it can launch further attacks inside a vulnerable data center. This has been described by security experts as the “hard outside with a soft, gooey middle”.

Good news: you can apply micro-segmentation to harden the inside too!

Micro-segmentation divides the data center into smaller zones which can be protected separately.  This means that in case of a breach, the damage can quickly be contained to a small number of compromised devices.  

Reinforce micro-segmentation with Layer 7 visibility

But to be effective, micro-segmentation requires a real-time association between applications and security policies. Therefore, east-west traffic between VMs must be analyzed in real-time, up to the Layer 7 application. Using similar technology to modern firewalls, a classifier function has to identify applications by looking at protocol grammar instead of ports. 

The technical approach consists of integrating a Layer 7 classifier inside the hypervisors, to extend vSwitch visibility from Layer 1-4 all the way up to Layer 7. This way, the vSwitch can strengthen access control rules between VMs based on application traffic.

This new L7 application visibility:

Is provided by a Layer 7 classifier integrated in the hypervisor

Analyses east-west traffic between VMs in real-time, up to Layer 7 application

Has no significant impact on performance

Enables real-time association between applications and security policies

Conclusion

Now you can harden your data center security using micro-segmentation combined with real-time application awareness!

Erik Larsson is the Senior Vice President of Marketing at Enea, where he drives product marketing, demand generation, branding and communication. Erik’s views on high-tech trends are regularly featured in articles, blog posts, webcasts, video interviews, and industry events.

PREVIOUS POST

Segmented Bundling: Road to Increased Prepaid Monetization?

NEXT POST

Digitization And Utilities: The Song Remains The Same

THE EDITOR'S DESK

ON FACEBOOK

ON TWITTER