Hit enter to search

Micro-segmentation in virtualized environments

23/10/2020
Author Avatar
Jérémy Derzelle
Expert System Engineer, EASI

Recently EASI actively took part in the Fortinet Xperts Summit EMEA 2020! Amongst all sessions we attended, the "Secure and Protect VMware NSX-T SDDC" and so we think it is a good time to remind you about segmentation.

As written by my colleague Maxime, EASI recently took part in the Fortinet Xperts Summit EMEA 2020! After attending the "Secure and Protect VMware NSX-T SDDC" we would like to share with you

The beginning

As local networks start to grow, performance starts to degrade. The more machines inside the same broadcast domain, the more "noise" becomes dominant and affects performance.

Splitting these large networks into several smaller network becomes a requirement. VLAN came to the rescue to efficiently split these networks into logical blocks that made more sense than splitting into physical blocks (based on physical locations).

In these networks, all VLANs are routed internally and there is a perimeter firewall to control in/out traffic from/to the internet.

Internal firewalling

With segmentation done on router, we no longer suffer from an excessive amount of "noise" in each VLAN, but from a security perspective, we are not effectively protecting any machines from each other. So a single infected machine could start attacking the entire network from inside and cause severe damages.

Nowadays perimeter protections are no longer enough and therefore companies start to use firewalls as their internal routers. This allows them to have full visibility on inter-vlan traffic but also enforce policies to reduce the attack surface.

Micro-segmentation

Still with internal fire walling, a problem remains : how do you protect from your direct neighbors? Firewall act as routers and can filter traffic between vlans, but they are completely blind inside the same vlans.

In a zero trust approach, you stop trusting even the machines which are in the same (v)lan as the one you are in. However, doing this micro-segmentation with a firewall acting as router would require to split the global networks into too many blocks and would not be manageable.

Virtualization to the rescue

Luckily in today's virtual world, where many things are "software-defined", networks make no exception. VMware uses NSX to make network virtualization and FortiGate is ready to work with NSX, and not only NSX-V (the legacy version) but also the newer NSX-T !

Thanks to its certification with NSX, a FortiGate-VM can act as a "host-based" protection (filtering in and out packets from a virtual machines) without the burden of installing and maintaing software on your virtual machines.

So not only you can achieve migro-segmentation, but also you can leverage all FortiGate features like Intrusion Prevention, Antivirus, SSL inspection, ... to all your Virtual Machines, without the need to re-design your network and create extra vlans!

Where are we today?

Many companies, especially in the SMB market are still at "the beginning". They are all using VLANs because it's required, but they do not have a lot of protection once the perimeter is passed.

Bigger companies have started some years back to implement "internal firewalling" to different level, including dual-firewall layers, datacenter firewalls ...

However not a lot of companies yet have started implementing zero trust and micro-segmentation.

What's the opportunity for you?

Network virtualization and NSX integration gives you the opportunity to start protecting your virtual machines without the need to go through the "internal firewalling" steps. You could directly catch-up and be up to speed with nowadays zero trust approach.

No need to re-design your internal network and create more vlans, get protected right away !

Do not hesitate to reach out to us to know more !

SentinelOne Singularity Demistified

Current job openings

Get our top stories in your inbox every month

Follow us

  

Share this article