Segment data centers to prevent zero-day attacks

Fast-propagating attacks like worms or viruses can quickly bring a data center to its knees. But protecting the data center from such threats is not as simple as erecting a perimeter around the company’s systems.

Employee laptops and other end-user devices can carry malware across the perimeter and accidentally infect data center resources. One possible strategy to mitigate this risk is to compartmentalize the company – build internal barriers that can contain any malware and stop it from spreading. The drawback of network segmentation, though, is that it “draws” artificial lines through a company’s infrastructure, leading to a rigid architecture.

By contrast, security virtualization may allow companies to segment their networks without the loss of flexibility.

A traditional approach to risk compartmentalization is to install firewalls at strategic chokepoints inside the network. This type of static segmentation can only work if your network architecture is hierarchical.

In a “flat” network it will be difficult to find suitable chokepoints in the architecture. But a bigger problem lies in the fact that for many companies, networks are not there just to connect elements. The network is an enabler for new applications and rapid business change. Static barriers make the network – and the company – less flexible.

For example, a bank may decide to put firewalls between two branch offices, thinking they don’t need to communicate. That assumption will take the existing logical structure of the bank and “nail it down” architecturally. So before the segmentation, branch networks didn’t need to communicate with each other, after the segmentation, they can’t communicate.

Later, if the bank changes strategy (introducing VoIP or instant messaging or a regional service model), the barrier between branches becomes an impediment to change. The same happens with the data center. The data center is harder to segment because it has far more interdependencies between systems.

A possible approach to segmentation, whether inside the data center or in the broader enterprise network, is to virtualize security. Instead of static firewalls, strategically positioned in the network architecture, companies can build a virtual security layer to control access between systems. For a pool of servers in the data center, this type of security could be implemented in a firewall embedded in the switched fabric between the servers. By using virtual LANs and virtual firewall domains, servers can be dynamically segmented based on policy rather than network architecture. If virtual security is implemented in software, it is even more flexible.

Some of the advantages of virtual segmentation:

* Systems can be segmented by type, by application, by business process or any other logical grouping, even if there is no correspondence to the underlying network architecture.

* Virtual barriers based on policies can be shifted, unlike physical firewalls that must be moved or rewired.

* Multiple overlapping domains can be created to serve different security needs: for example, separation of research from investment for SOX compliance overlaid over segmentation of production from development.

Virtual segmentation of networks is gaining acceptance as a better response to fast-propagating threats. Security virtualization offers the flexibility and “fluidity” required to protect against threats without sacrificing business agility.