The Spaghetti of Firewall ACLs – Can Micro-Segmentation Help? (Peter Granic)
If you haven’t been sitting on your ears, you’ve heard the industry buzz on how Micro-Segmentation is one of the required core tenants of a ZeroTrust architecture.
If you need a primer on ZeroTrust, there are plenty of resources available on the Security OEM vendor websites as well as from vendor-agnostic sites like NIST (https://www.nist.gov/publications/zero-trust-architecture), Forrester (https://www.forrester.com/blogs/category/zero-trust-security-framework-ztx/), and BT (https://business.bt.com/why-choose-bt/insights/cyber-security/zero-trust-security/). I can assure you that they will all have their technical & marketing white papers explaining how they view ZeroTrust.
My purpose however is not to promote this latest industry buzzword, but rather to suggest that the core tenant called Micro-Segmentation deserves every Network and Security Engineer’s attention, as it has the potential to make their life easier.
Consider the long and complicated ACLs and firewall rules that have grown in your network over the years. They are the bane of at least a few staff members’ existence within your team.
What can be more fun than pulling a two-thousand-line firewall policy and proving to an auditor that you still have the correct security policy in place to meet PCI compliance? That audit rabbit hole and the associated “Project Work” repercussion is every techie’s nightmare.
However, what I propose is that Micro-Segmentation has the potential to help you shrink that two-thousand-line firewall policy your company maintains in a major way. Think 50%-90% smaller!
At your next hardware refresh cycle will your current firewalls be overkill and would you be able to replace them with less expensive and less beefy models if your rule base has shrunk by 75%?
Will your 3 firewall staff engineers be able to work on more important deliverables if their day-to-day firewall policy admin work has been reduced by 50%?
This is the business case and outcome that I am suggesting is available were your company to leverage Micro-Segmentation. The solution, while usually championed by the security organization, has become more widely sought out and deployed in the marketplace, and further secures a company’s most business-critical applications and assets.
What does Micro-Segmentation mean to the Network Engineer?
For the network operations engineer, I’ll attempt to explain Micro-Segmentation in a simplistic way.
Think of it as meaning that the virtual and physical devices on your network get restricted into smaller and smaller “subnets” (not really subnets, but I’m just trying to help you understand the concept).
This is done by applying very granular security controls. Think of it as applying a specific, customized ACL or firewall policy to a single host that is unique only to that host - its very own firewall.
Some security vendors are doing just this, using host-based firewalls to apply very specific security policies at the host.
Let’s say your Finance web server resides in AWS, your Finance application server resides in AWS, and your Finance database server resides in your on-prem Data Center. You have a hundred other applications deployed using this similar architecture, but in Figure 1, we will show only 3 applications.
Figure 1 – Before Micro-Segmentation: Large Policy Securing with Granularity on the network firewalls
Your three firewalls in Figure 1 will have a unique policy with 5 rules that are unique for all 3 (or 100) applications, and this leads to a total of 15 (or 300) unique rules in the policy. The policy becomes larger and more complex as the number of applications in your environment grows.
You deploy host-based firewalls for all 3 (or 100) applications on each individual host. You apply a very granular security policy on these host-based firewalls specific to each host as shown in Figure 2. The core network firewalls can then be deployed using a simplified, broad, and generic policy.
Figure 2 – After Micro-Segmentation: Simplified Policies on the 3 network firewalls. Granular firewall policies on each host using host-based firewalls.
When application traffic transits the core network firewalls in Figure 2, you no longer need your policy to be as large and granular given the controls in place at the server edges. The core firewalls are simplified in this way, while still being relied upon to provide more advanced security and threat protection controls against the traffic it inspects.
Are you less secure?
Let us suggest that a malicious developer with access to the HR App Server in AWS attempts to connect to the Finance DB server in your On-Prem Data Center. That traffic will be blocked even before it reaches the more permissive core firewalls as it gets blocked egress on the HR App Server’s host-based firewall.
Should the developer disable the host-based firewall on the HR App Server, the lateral attempt to connect from the HR App server gets blocked by the ingress Finance DB Server host-based firewall. The core network firewalls never see a completed 3-way handshake, and so a session is never added to their state tables, even though it was not explicitly blocked.
Simplified and Results in a Minimized Attack Surface
I’ve described this relatively straightforward strategy on how to deploy Micro-Segmentation in your environment and reduce the complexity of your core firewalls.
Security aficionados will also appreciate the outcome, as it will achieve a meaningful reduction of attack surface within your company’s network. Should an attacker manage to breach and gain access to that first host, they will be limited in their ability to conduct reconnaissance and move laterally from that point onwards.
For example, the attacker will not be permitted to port scan from the breached host outbound, because almost all ports will be blocked by its host-based firewall. The attacker will have a difficult time discovering hosts outside its application group, and thus will find it more difficult to move onto a higher-valued target in the environment by a significant order of magnitude.
Furthermore, when your company conducts its “Assumed Breach” testing, you may find that your testers make a request that micro-segmentation policies be relaxed somewhat, lest they find it very difficult to identify exploits and move laterally from the “Assumed Breach” starting point. That in itself will be a validation of the Security benefit of micro-segmentation to your organization.
But you are likely thinking all those host-based firewalls are a nightmare to manage.
In my experience, several security vendors such as Illumio, Akamai (Guardicore), Cisco (Tetration), and others have been targeting the Micro-Segmentation challenge of managing host-based firewalls. They have built the tools to manage at scale, and their products handle both on Prem, Cloud, and Hybrid use cases.
To manage the large number of host-based firewalls, the Security vendors have built a software-defined solution using labels. Moves, adds, and changes don’t require an engineer to connect and configure each host-based firewall. Rather, the engineer relies on correct labels having been assigned to the host, and the host-based firewall policy is automatically pushed to the new host as well as to any hosts it communicates with.
Furthermore, if you re-IP your server, or move it from your Data Center to the cloud, the labels follow it even though the IP address has changed, and no stale policy remains with the old IP addressing.
The host-based policy gets updated automatically after its IP change, and any other hosts that require a connection to the modified host also have their host-based policy automatically updated.
This host-based firewall approach to applying Micro-Segmentation policies using the tools of one of the vendor solutions mentioned is a solid strategy. It retains your existing security controls, reduces complexity in your core firewall configurations, and reduces seriously the attack surface in your network should your company get breached.
And to get back to my core argument, you will achieve more efficient operations if you deploy this kind of Micro-Segmentation. If an application is broken, your trained team member will be able to troubleshoot a much smaller firewall policy, whether on a Network firewall or on a very granular host-based firewall.
There is no reason to maintain very granular and complicated network firewalls with two-thousand unique rules. Simplify and summarize these core network firewalls, apply advanced controls to handle advanced security threats for traffic that transits through them, and rely on the tight, granular security policy at each host.
Peter Granic is a Security Engineer with BT and can be reached using his first and last name in the email format email@example.com.