10 Replies Latest reply: Feb 26, 2019 2:32 PM by Daniel Dib CCIE #37149 CCDE #20160011 RSS

    "Micro-Segmentation"

    Steven Williams

      Why is Micro-segmentation only really mentioned with ACI? Isn't it just firewall on a stick basically?

         
        • 1. Re: "Micro-Segmentation"
          Daniel Dib CCIE #37149 CCDE #20160011

          It's a bit more than that. Usually it refers to being able to implement zero-trust model where even traffic within the same subnet can be firewalled. This is challenging in a traditional design because L2 traffic would be switched without passing a firewall. To achieve the same effect with a traditional design, you'd have to put every VM or host in a separate VLAN. In that case though, all traffic would have to trombone through a firewall, which might not be efficient. Using something like ACI, you can do microsegmentation and still have efficient forwarding.

          • 2. Re: "Micro-Segmentation"
            Steven Williams

            Well I know for a fact I can do layer 2 firewalling with Palo Alto, yes its a little cumbersome because the devices need to terminate to the firewall directly which could be expensive. I feel like Cisco is behind in firewall technology compared to others.

             

            I have yet to see a really good demo on ACI so I am not completely up to date on it or sold on it as I have heard many people trying to implement it and they end up going back to traditional "networking". And really i just dont think we are there yet as a complete industry whole.

             

            I read things about Cisco putting scripting and automation in exams now at the CCNA level and it blows my mind because again I just dont think we are there yet. I feel like ACI/SDN is like IPv6, they mentioned it and everyone ran to learn about it and tried to implement it but realized there was no reason to do so in many cases.

            • 3. Re: "Micro-Segmentation"
              Steven Davidson

              Unlike IPv6 it isn't going to take very many really smart people to implement ACI/SDN-x technologies and features really well and, in doing so, displace a lot of engineers who either went back to doing it the traditional way or never stopped doing it the traditional way.  It'd coming.  Don't be the John Henry of the 21 century.  The fact of the matter is that the traditional way doesn't scale in the Everything-as-a-Service, on-demand, elastic, self-service, Agile (I've hit my buzzword limit) universe of 2019 and beyond.

              • 4. Re: "Micro-Segmentation"
                Steven Williams

                I just don't see it main stream for a good long minute. I mean where I am we are a little challenged in the way we can and want to build networks just due to compliance. I mean lets face it councils like PCI aren't really up to date. I can't even run multi-context firewalls due to my QSA saying a multi-context firewall has shared resources. The amount of physical firewalls I have is absolutely insane. I don't know, I guess we will see how the next few years go.

                • 5. Re: "Micro-Segmentation"
                  Sergey

                  Steven Williams,

                   

                  The whole idea of software-defined networking is about taking out the forwarding decision process from the local devices and placing it on a central machine that has full visibility of the network. In your example with Palo Alto, you HAVE to terminate the individual host links on the firewall's ports to achieve microsegmentation. But that doesn't scale. If you imagine a network of a few thousand hosts, the amount of firewalls you will need to terminate physical devices is just beyond being economically viable. With SDN you don't have to do that, because switches (either physical or virtual) that handle the actual link to the device or VM don't make their own decisions on forwarding or dropping the packet and instead they consult a control machine, which have got all the intelligence to make the decision. That's why it is more scalable. With regards to PCI, I'm not sure what the situation is like now, but back a few years, virtual contexts were considered OK for the PCI compliance purposes. The main idea there was that you do implement access control on the border between different trust domains.

                  • 6. Re: "Micro-Segmentation"
                    Micheline

                    Hello Steven--for my two bits, I think that a lot of the visceral clutch against ACI is that it has a pretty steep learning curve.  It is a very different way of managing a network than traditional means, and that alone makes it a challenge to embrace.  That said, I think that ACI is a much more efficient and powerful way to manage a data center than traditional.

                     

                    Just from a security aspect, starting from a whitelist perspective versus a blacklist perspective means that conscious thought has to be invested in what traffic is allowed, and that is no bad thing.  Regarding microsegmentation, I think that being able to take a subset of endpoints from an EPG out of circulation with a few mouse clicks is pretty potent.  Just as an example, if you identify that a certain operating system has a vulnerability that is being exploited, you could go EPG by EPG and pull every host with that operating system and put them into a quarantine uSEG.  As the hosts get patched, they fail the uSEG attribute and are booted out of the quarantine uSEG, automatically.  You cannot do that with a firewall.

                     

                    Just my two bits.   MM

                    • 7. Re: "Micro-Segmentation"
                      Steven Williams

                      Ok I need some links of this stuff!! Youtube, blogs, CLN, etc, etc because that is actually really cool. lol

                      • 8. Re: "Micro-Segmentation"
                        Micheline

                        There was a techtorial at the CLEUR in Barcelona both this year and last year about ACI security.  But, I have no idea how to get your hands on the video bc I don't think they put those sessions up on the Cisco On-Demand Library.  I'll ask around and see if I can't get you a link or the slide deck or something.

                         

                         

                        Steven, the middle white paper is pretty short, and the third document is the config guide for uSEG.  Its introductory materials are pretty good.   I was privileged to be able to work on the first paper as a technical writer.  The major contributor is my partner (who was one of the techtorial presenters).

                         

                        MM

                         

                        P.S.  I think the quarantine use case for uSEG is pretty cool too. 

                        • 9. Re: "Micro-Segmentation"
                          Steven Williams

                          So micro-segmentation securing east to west traffic is assuming I need to see all traffic between two hosts that live on the same layer 2 segment. But....Why would we design networks where database servers live on the same layer 2 segment as the web server? We vlans, vrf, private vlans....I mean are we saying we are going back to building flat networks now? Do you see my frustration here?

                           

                          I have multiple vlans, and multiple VRFs and VRFs have egress links to route to other VRFs through a north-bound firewall. Why is this not acceptable anymore? I mean the cost of this micro-segmentation is....simply put...going to get really high, really fast. I need Firewall appliances per Host, I need management tools like NSX manager, etc, etc.

                           

                          Does anyone really see people building networks like this in mass populations of IT?

                          • 10. Re: "Micro-Segmentation"
                            Daniel Dib CCIE #37149 CCDE #20160011

                            It's not really about building flat networks, although you could. Maybe you have several database servers and they should only talk to the application server, never with each other. That could easily be achieved in ACI by using contracts while with a "traditional" network we'd have to throw subnets at the problem.

                             

                            Firewalls will still be there and we can still use VRFs etc. Consider though how firewalls scale and that more and more of the traffic is getting encrypted. Eventually firewalls will be mostly blind unless they are implemented at the host level where the traffic is decrypted.