Shulou(Shulou.com)05/31 Report--

Why do not use VLAN, VPC to solve the problem of east-west isolation? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Preface

As a rigorous security practitioner with professional ethics, first of all, I have to touch my conscience and say: technology is not good or bad, evaluate a technology, we mainly see whether it can solve specific problems in some scenarios. Based on our years of operation and maintenance experience and actual customer visits, the internal isolation method based on VLAN/VPC is basically no longer suitable for solving the east-west isolation problem in virtual data center / private cloud (including hybrid cloud with private cloud) environment.

Before starting today's discussion, as a product staff who talks to customers on a daily basis about jiang chan pin, I need to answer the customer's father's question: "Why is there internal quarantine?"

Why internal isolation is needed from the perspective of security construction:

For a long time, enterprises have widely used defense-in-depth technology (defensin depth) and minimum authority logic (least privilege) to manage enterprise network security. Isolation is the basic way to realize these two ideas. for example, in traditional security management, the trusted network is isolated from the external network through the deployment of firewalls at the border, the security domains are divided among different internal security levels, and the domains are isolated through firewalls, and access rights are given as needed by setting security policies.

From the perspective of attack defense:

From the security events in recent years, we can see that attackers have gradually changed from destructive attacks to advanced sustainable attacks with specific political or economic purposes. Whether from the famous Lockheed Martin Cyber Kill Chain (the cyber attack kill chain proposed by Lockheed Martin), or the famous blackmail virus and mining virus in recent years, these attacks have some remarkable characteristics: once the border defense line is breached or bypassed, the attacker can move horizontally within the data center, and there is basically no means of security control inside the center to stop the attack. This also highlights a major weakness of traditional security. Complex security policies, huge funds and technologies are used for border protection, while the same level of security does not exist internally.

From the point of view of safety closed loop:

With behavior analysis, honeypots, and situational awareness, there is no basic access control. There are often hundreds of virtual machines in the data center; the security policy "only dares to increase, not decrease"; there are a large number of testing equipment inside, but where is the protection …...

Speaking of which, if the client's dad hasn't kicked me out yet, I can start my show:

Scenario 1:

Me: "customer Dad, I heard that your data center was virtualized and put into use last year. Business productivity has improved a lot!"

Customer dad: "well, we chose the virtualization technology of large foreign companies to complete the construction last year." virtualized data centers do improve operational efficiency. "

Me: how many virtual machines do we have now?

Customer father: "at present, there are more than 500 units, and some businesses are still moving, growing relatively fast, and it is expected to reach 1000 units next year."

Me: "with so many virtual machines, how can we manage them internally?"

Customer father: "We are mainly managed by dividing the VLAN."

Scenario 2:

Me: "customer Dad, I heard that your private cloud was completed and started to use last year. Now many enterprises are just in their infancy."

Customer dad: "well, we started doing technical research three years ago, and the construction was completed last year. Cloud data center is indeed the construction trend of the future."

Me: how many virtual machines do we have now?

Customer father: "at present, a total of more than 1000, some business is still moving, the growth is relatively fast, next year is expected to reach 1500."

Me: "so many, your private cloud is a benchmark in the industry." how do we manage so many virtual machines internally? "

Customer father: "We mainly manage internally through VPC provided by cloud vendors."

VLAN/VPC-based internal isolation is two common ways to virtualize data centers depending on the underlying architecture. Many enterprises logically divide the data center into different security domains according to departments and business systems, and isolate them by VLAN/VPC, and then deploy virtual machines in each VLAN/VPC. Because VLAN/VPC is layer 2 isolated, if communication is needed between groups, it needs to be done through layer 3 devices (layer 3 switching, firewall). The two methods mainly continue the traditional thinking of data center security management, including heap, separation and access control.

But in fact, in the process of operation and maintenance, customers gradually "simplify everything"-hundreds of virtual machines are divided into 3 or 4 domains, and some network segment-based access control rules are configured between domains.

At this time, in order not to let the client father fall into the "pit" of VLAN/VPC isolation, the professional (wei le xiang mu) I must tell the client father what east-west isolation is.

There are causes and consequences. Let's analyze the characteristics of virtual data center / private cloud:

Characteristics of Virtual data Center / Private Cloud

1. There are a large number of virtual machines, ranging from hundreds to tens of thousands, and they are increasing continuously.

two。 Multi-branch office, multi-business unit use, complex security level

3. Business is flexible and changeable. Resources are allocated according to demand, and changes occur at any time (business online and offline, expansion, replication, drift).

According to the above characteristics, combined with the requirements of access control, internal attack detection and blocking between virtual machines in Isobao 2.0, east-west isolation should have the following capabilities:

The ability to isolate from east to west

1. Identify the access relationship of internal business. It is not easy to manage east-west, to a large extent, because internal traffic is not visible, which leads to difficulties in security policy design and adjustment. Ability to identify traffic between hosts (including containers), including services accessed, ports, times, and even processes.

2. It can realize end-to-end isolation. It has the ability of access control between physical servers, virtual machines and containers, and the control granularity is port level.

3. Be able to reduce the attack surface of the internal host. You can set the access source, the services and ports that you can access, and have the ability to close the port at the network level.

4. The ability of visual editing and unified management of policies. The existing security policy status can be graphically displayed; the security policy can be graphically edited; and the network-wide security policy can be managed through a unified interface.

5. Automatic deployment of policies. It can adapt to the flexible and expandable characteristics of private cloud, and the security policy can be changed automatically in virtual machine migration, cloning, expansion and other scenarios. Automatic choreography is supported.

6. Support hybrid cloud architecture. In a hybrid cloud environment, cross-platform traffic identification and unified policy management are supported.

Unfortunately, the internal isolation based on VLAN/VPC can not meet the needs of east-west isolation.

"Seven deadly sins" based on VLAN/VPC Intranet isolation

1. Too static. Static VLAN/VPC partition limits the location of virtual machines, which is contrary to the dynamic characteristics of cloud data centers.

2. The attack surface is too large. The number of virtual machines increases greatly, and the excessive VLAN/VPC partition will provide the attacker with a larger attack range. Once a host in the group is controlled, the attacker can move horizontally at will.

3. The cost is too high. It is not financially and operationally feasible to subdivide the security domain and then deploy hundreds or even thousands of firewalls for internal access control.

4. Affect business delivery. When adding new business or changing existing business, security personnel must manually modify the security policy, so as to conform to this static and heavyweight network topology, greatly increase business delay, and easily cause configuration errors.

5. The management of security policy is complex. Misconfiguration of firewalls and policy changes are common causes of network outages. In particular, the policy configuration of the firewall can not be pre-tested and the wrong configuration is difficult to troubleshoot. The firewall policy often has the problem of "only dare to increase, not dare to decrease".

6. Increase the network delay. This design increases the complexity of the network and reduces the network performance.

7. Cannot be applied to hybrid cloud model. When users have multiple cloud data centers, fragmented security increases the complexity of management.

To sum up, it is based on the internal isolation of VLAN/VPC, which is not very compliant, inflexible, coarse-grained and difficult for operation and maintenance.

To sum up, no matter which teacher's conscience is touched, I would say that in a virtual data center environment, VLAN/VPC-based internal isolation is only suitable for coarse-grained large security domain isolation, and it is basically cool to solve the east-west isolation problem.

Although the VLAN/VPC is cold, the customer father should not be cold. There has long been an international conclusion on the isolation problem within the virtual data center.

Best practice of internal isolation in cloud centers-micro-isolation

Micro-isolation (MicroSegmentation) was first proposed by Gartner in its software-defined data center (SDDC) technology architecture, which is used to provide security access control between hosts (containers) (different from the security access control between security domains in the past), and to visually manage east-west traffic.

Micro-isolation technology is basically based on software definition, which can well adapt to the dynamic characteristics of the cloud center. And from the definition, we can see that the main solution is how to clearly see and manage the complex intra-cloud traffic.

Micro-isolation is not a conceptual innovation, it adheres to the widely accepted principles of defense in depth and minimum access from the concept of management. the difference is that micro-isolation enables these ideas to continue to be effectively implemented in completely different virtualized data centers and complex internal communication models.

In Gartner's 2017 report, it is believed that microisolation will become the mainstream technology in the next 2-5 years.

This is the answer to the question of why you should not use VLAN or VPC to solve the problem of east-west isolation. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.