WHITE PAPER Threat Visibility and the Zero-Trust Virtual Data Center Zero-Trust and Deep Inspection Will Secure Software-Defined Infrastructure Until recently, virtualized x86 compute environments were a zero-visibility zone that defied the efforts of security teams to protect workloads and data. Physical security controls were stuck at the virtual network perimeter. Connections and traffic were inspected at the edge, leaving the virtual environment within a de facto trust zone. Growing volumes of east-west traffic moved within virtual hosts uninspected. Attacks that successfully bypassed perimeter security could easily propagate laterally without detection. Attempts to route virtual network traffic out for physical inspection proved inefficient and unscalable. The arrival of mature software-defined data center (SDDC) platforms has transformed this situation, making it possible to create and manage high-transparency, zero-trust virtual networks that are inherently more secure than their predecessors and vastly easier to configure and maintain. Two factors are primarily responsible for this improvement. The first is network segmentation support in VMware NSX that allows granular workload and application isolation with localized security policy enforcement. The second is the introduction of an advanced intrusion prevention system (IPS) from McAfee 3 Threat Visibility and the Zero-Trust Virtual Data Center that provides deep visibility into the traffic payloads moving on each micro-segment and fully leverages the automated management capabilities of the VMware data center virtualization stack. This paper explores the benefits and requirements of zero-trust networking strategies in a VMware SDDC. It also examines the role of two technologies—McAfee® Network Security Platform virtual IPS sensor and Open Security Controller—in making zero-trust networking not only possible, but supremely practical. Zero-Trust, Micro-Segmentation, and the Change Management Challenge Zero-trust is a network design approach that targets a fundamental vulnerability shared by most existing infrastructures, namely the implicit trust between nodes on a shared network segment. Much of today’s security is based upon a “trust, but verify” trust model that, in general, fails to give due credence to the verification stage. The result is our ongoing epidemic of breakins and data breaches, as the task of applying proper verification to every connected interaction becomes increasingly difficult. The zero-trust approach suggests we eliminate every vestige of trust in our networks as unnecessary to the core task of moving packets. No more trusted users, interfaces, packets, or applications. WHITE PAPER A successfully implemented zero-trust strategy is based on three principles: ¦¦ ¦¦ ¦¦ All resources must be accessed in a secure manner regardless of location. Access control must be based on need-to-know and strictly enforced. All traffic must be inspected and logged. This zero-trust approach envisions networks that are finely segmented with access control imposed between segments and traffic inspection within. Perimeter Firewall Firewall rule not possible DB Server Figure 1. Placing all security controls at the network perimeter creates a de facto trust zone within. Security teams can’t control or inspect traffic between internal hosts. 4 A network micro-segment might include a few resources with similar security requirements, or at the logical extreme, only a single host and switch. In such an environment, the ability of malicious code to move between hosts or to escape detection in transit is obviously much reduced. Furthermore, security policy can be tightly tailored to the specific applications and processes hosted on a single segment, or a single machine. Segmentation originated as a way to manage bandwidth utilization by reducing the number of hosts exchanging broadcast messages. Engineers sliced large networks into smaller broadcast segments using bridges, switches, routers, or firewalls. An early security application was in separating multitier applications to prevent attack propagation from a compromised web server to the application and data tiers. Internet Web Server You might think of a zero-trust network as an airport terminal with TSA full-body scanners not just at the main entry, but at every restaurant, bar, newsstand, gift shop, restroom, shoe-shine stand, and gate—and with no lines, of course. Threat Visibility and the Zero-Trust Virtual Data Center In practice, micro-segmenting large networks for security purposes has been limited by the management complexity that results. If firewalls are used to define segments and control access, then any change in a workload may also require a change in firewall policy. Managing the configuration change quickly becomes challenging, even in a relatively static physical environment. It becomes impossible in a virtualized environment where workloads are dynamically created,