Network microsegmentation in examples: how this cleverly twisted thing reacts to different attacks

Previously, when it was necessary to differentiate something (for example, servers with payment processing and user office terminals), they simply built two independent networks with a bridge-firewall in the middle. It is simple, reliable, but expensive and not always convenient.

Later, other types of segmentation appeared, in particular, on rights based on a transaction map. Simultaneously, role schemes developed, in which a machine, person, or service is assigned its specific rights. The next logical step is microsegmentation in virtual infrastructures, when a DMZ is placed around each machine.
')
In Russia, while there are single implementations of such defensive constructions, but soon there will definitely be more of them. And then we may not even understand how it was possible to live without this. Let's look at attack scenarios for such a network and how it reacts to it.

What is microsegmentation

Microsegmentation is a security method that allows you to assign security micro-policies to data center applications, right down to the workload level. In a more applied application, this is a data center security model. Network security policies are enforced by firewalls integrated into hypervisors that are already present in the data center. This provides ubiquity of protection. In addition, security policies can be conveniently modified, including automatically, and dynamically adapted to reflect changes in workloads.

As it was before

Here is the "stone age" of modern networks - unmanaged networks:

More precisely, it would have been a stone age if the networks were generally physically separated by the absence of links. But here they are connected by a router and protected by hardware firewalls at the intersection site. This is a good option exactly as long as you do not fall into the real world.

Here is the next step in the evolution of protection:

Today, most companies use server clusters to spin their entire infrastructure. Here is an example of Aeroexpress - there, in fact, one cluster and two virtual subnets - for sales offices (regular users) and for banking, that is, ticket settlements. Before the introduction, there was only one network, and in theory, the cashier could trite the server with the issuance of tickets. The next logical step after such a separation is still greater virtualization and the construction of microsegments, but not at the level of hardware, but at the level of flexible service rights. This greatly simplifies administration compared to the classic task of finely-divided 2-3 machines each, and greatly simplifies life in terms of the reliability of protection in a cluster. Each microsegment looks at the neighboring one as the outside world, and not as a deliberately trusted one.

This is one of the simplest schemes, where, depending on the tasks, intersections of different perimeters are used. It may look like the diagram below.

In this scheme, as you can see, solved problems of scaling network components (produced by deploying new VMs), it is possible to use any network equipment, it is possible to control the horizontal propagation of VM traffic, VLANs are replaced by VxLANs, which are limited to about 16 million interfaces. Moreover, if you look at the color delimitation of the scheme, you can see the following scenarios on the example of the Personal Account - 1:

Application servers located at different physical sites are located in the same logical network P6 (orange ovals);
At the same time, Web servers of the same Personal Account - 1 are already in different logical networks (green ovals P4 and P5);
All servers that implement Personal Account - 1, in turn, are located in a single logical network P10 (zone marked with a dotted line).

Perhaps you have already understood everything and now you want to know how difficult it is to support it. So, in new versions of hypervisors such structures are supported out of the box.

The main theme of such micro-segmentation implementations is the protection of critical services in the context of cluster and personal cloud technologies.

Example : there is an accountant’s work machine where, during normal daily work, policies such as “AWS Accounting” are applied, with which you can access the Internet and general infrastructure services. When you start the client bank, the policies will immediately take priority in processing the rules related specifically to the bank client traffic, and their traffic will be allowed only to the specified IP / DNS server of the bank, while always passing this traffic through additional information protection tools (for example, the DPI server). Bank-client is closed - again becomes the "AWS Accounting".

What does one of the NSX microsegmentation platforms consist of?

Here are the main components:

Switching	A logical overlay of Level 2 is provided across the entire Level 3 switched matrix inside and outside the data center. VXLAN based network overlay support.
Routing	Dynamic routing between virtual networks is performed by the kernel of the hypervisor distributed, supported by horizontal scaling with active-active failover to physical routers. Both static and dynamic routing protocols (OSPF, BGP) are supported.
Distributed firewall	Stateful distributed firewall services built into the hypervisor core, with up to 20 Gbps throughput per hypervisor server. Active Directory support and action monitoring. In addition, NSX provides a vertical firewall using the NSX Edge.
Load balancing	Load balancing for levels 4–7 with SSL load transfer and pass-through, server health check and application rules provide programming and traffic manipulation capabilities.
VPN	Remote access via VPN and VPN environment-environment VPN, unmanaged VPN for cloud gateway services.
NSX Gateway	Supporting bridges between VXLANs and VLANs provides optimal connectivity to physical workloads. This component is built into the NSX platform, and is also supported by the super-rack switches supplied by ecosystem partners.
NSX API	REST-based APIs are supported for integration with any cloud management or user platform.

And now we will consider scenarios of various threatening events so that it will become completely clear.

Scenario 1: Malvar

Ways of penetration and infection in large companies are about the same: phishing, targeted attacks, "road apples" in the form of thrown flash drives. As a rule, the malware infects one of the workstations (for example, coming with a letter), and then inside the perimeter it can do anything before it is detected. I recently saw a situation in the bank. I must say, they have serious people and serious security, but the situation inside the network was such that the deployed test malware (without payload) “broke through” the test environment and infected several branches before the protection system saw it. In some, the user segment is not at all separated from the critical one, and users happily hang malicious programs on 1C servers, on machines with financial transactions, on a web server, update server, and so on.

In our paradigm, the protection is as follows: microsegmentation at the level of servers, services, users. Separate each group by perimeters (as in the picture above). One virtual machine is usually infected, which is detected by an antivirus running from the height of the hypervisor. A machine with an atypical activity is immediately placed in quarantine - a special segment where all those who do something not quite normal fall into.

Standard measures such as a typical sandbox can also be screwed to this.

Modern malware subsides on a single workstation, sends a very small signal to the management server, or deploys the second block, which already carries the “useful” load. In which case, it is the second generation of the malware that is detected - the first one that has “calmed down” remains in the system. Antivirus, maybe, zadetektit and even kill both blocks, if lucky, but most likely, it will happen on the border of the networks, and after that you have to do a great job of tracking damage. And the integration of antivirus without a hypervisor level is somewhat more complicated.

On March 17, 2017, Kaspersky updated “agentless protection” for the NSX.

Scenario 2: directed attack on a critical service

The attack on especially critical computers and servers (accounting, machines with access to SWIFT, processing servers) most often begins as DDoS, continues with the malicious code "on the sly." It is solved simply: one more is created (two, three, how many) DMZ inside your server group for a complete cutoff. Of course, this need to think in advance.

In a normal admin, of course, the networks are already divided, just maintaining it without holes for years is more difficult. Well, without centralization. And when transferring a network or virtuals, holes may appear, and in the case of microsegmentation, the probability is much less.

Scenario 3: Random Incorrect Migration or Simplified Network Initialization

Only a third of data loss is related to the actions of intruders. The rest is a banal oversight or just idiocy. A striking example is the very frequent changes in the network, for example, the migration of a machine or a group of machines from one subnet to another (from a more secure to less protected one, due to which the migrated machine is “naked” in front of threats).

The solution is microsegmentation and profile assignment to a machine or group of machines. Thus, the security settings and all the necessary firewalls (implemented by the hypervisor) will remain on the VM, regardless of how and where it is migrated.

My favorite example is that in one retail network risks were incorrectly assessed. Cashier migrated to the user area (or rather, user rights have changed in six months). Someone forgot something at the next patch - and they put a bare database out.

Scenario 4: especially successful pentest

This is really a separate scenario, because for such shoals it is very painful to hit the hands. Especially in the financial sector. I saw a very simple story: the bank ordered the penetration of a certain VM group (in the test environment). Pentesters took the flag, but got a little carried away, digged into the test environment, went into the main segment and put the ABS server for a day. This is just a paragraph!

In general, microsegmentation helps to make sure that the networks “physically” do not see each other, as if they were not connected at all. They still won't go to the hypervisor level (well, at least without a world-class 0-day). If suddenly something gets admin admin rights and will be distributed - the hypervisor will catch. And virtual machines are much easier to roll back.

Scenario 5: Attacking an outward-looking service, leading to internal network problems

In retail there is a web server. The front stands, and between the front and the web are open ports.
Fiddled him, at the same time eventually the line of cashiers fell. Admin is looking for a new job the next day. In general, the essence of the attack - the attacker exploits the vulnerability of an application server or a web server accessible from the Internet and gains access inside the corporate infrastructure to critical servers and databases. Well, or just puts everything inside didos.

In the paradigm, microsegmentation of each server of the service is assumed in such a way that for each server that performs its role, there will be certain security settings. Configured with profiles.

Other scenarios

In general, other scenarios are worked out in a similar way. For example, from our point of view, an insider is just an infected AWP. It doesn’t matter whether he himself acts, or simply has his uchyotku increased. Atypical activity - quarantine - investigation and subsequent rollback of the affected VM.

How to move

Let's tell on the example of one of the practical cases:

Conducted a survey. The survey recorded the network topology, the virtual infrastructure architecture, the types of deployed systems and services. At this stage, all information flows (user, service, control traffic, monitoring and updating traffic) are determined and recorded.
The analysis and design of changes in the virtual infrastructure, including the network one, is carried out, taking into account the groups of services on criticality and functions provided that were identified at the survey stage.
The initial configuration of profiles (VM groups, roles, security settings, ITU settings, user group access settings) is made for the VM test group.
Formed profiles are applied, work is monitored. If necessary, adjustments are made. The zero-trust model is in place when introducing microsegmentation. With this model, we initially do not trust anything, and allow only proven and trusted interaction.
The solution is scaled to the entire infrastructure.

Further, the entire infrastructure is maintained and managed centrally from a single console with a minimum number of personnel involved. Groups and profiles are formed, their appointment is made fairly quickly. Assigned profiles work everywhere within a single virtual infrastructure. In addition to managing the ITU and security settings, the processes of migration, updating, input and output of servers and services are also centrally controlled.

Important points specifically for the NSX solution mentioned:

The need to replace the Cisco ASA 5520 firewall.
The ability to split the data center into separate segments, regardless of the subnet and VLAN.
Applying policies to the VM in accordance with the OS and its name.
IPsec solution support for communication with remote branches.

There was such a network:

Before implementation, we conducted an audit to understand how traffic “flows” in a virtual data center using the VMware vRealize Network Insight utility. It just helps to set up rules for micro-segmentation. It turns out something like this:

A source

And they compared the customer’s parameters (for example, one of the tasks was to replace the VPN):

	Cisco ASA 5520	Cisco ASA 5515-X	Cisco ASA 1000V	Cisco ASA 5555-X	VMware NSX Edge (X-Large)
Type of	Physical device	Physical device	Virtual machine	Physical device	Virtual machine
Maximum firewall throughput (max.)	0.4 Gbit / s	1.2 Gbit / s	1.2 Gbit / s	4 Gbps	9 Gbps
Maximum simultaneous sessions	280,000	245,000	200,000	1,000,000	1,000,000
Maximum connections per second	N / A	6000	10,000	50,000	131,000
VPN bandwidth	250 Mbps	250 Mbps	200 Mbps	700 Mbps	2 Gbps
Maximum number of IPsec tunnels	750	250	750	5,000	6,000
Maximum number of SSL tunnels	750	250	750	5,000	6,000

In parallel, they built a network diagram of physical equipment. The key for us is to understand the traffic flow inside the data center to configure policies. It was removed, apply immediately. If something will be cut - just add later. A week or two is enough to build a good map and identify all services.

We had a fairly simple installation, and we placed it on 2 blades. Expenses:

Component	Qty	∑ RAM (GB)	∑vCPU	∑HDD (GB)
NSX Manager	one	sixteen	four	60
NSX Controller	3	12	12	60
NSX DLR	2	four	eight	3
NSX Edge	one	2	four	2

The customer already had a VMware vSphere virtualization environment, so we just bought licenses for the NSX. At that time there were no NSX editions, they appeared almost a month after the purchase of licenses. The product itself is licensed per socket.

We divided the machines into groups and assigned tags to them, transferred the firewall rules from the ASA to the distributed firewall and checked again vRealize Network Insight. That we correctly indicated the traffic flows and did not forget anything.

PROFIT!