Professional Documents
Culture Documents
Textbook Micro Segmentation For Dummies Vmware Edition Matt de Vincentis Ebook All Chapter PDF
Textbook Micro Segmentation For Dummies Vmware Edition Matt de Vincentis Ebook All Chapter PDF
https://textbookfull.com/product/carbon-for-micro-and-nano-
devices-de-gruyter-textbook-1st-edition-sharma/
https://textbookfull.com/product/micro-spatial-histories-of-
global-labour-1st-edition-christian-g-de-vito/
https://textbookfull.com/product/hacking-for-dummies-6th-edition-
for-dummies-computer-tech-beaver/
https://textbookfull.com/product/chemistry-for-dummies-for-
dummies-lifestyle-john-t-moore/
C Programming For Dummies (For Dummies (Computer/Tech))
Gookin
https://textbookfull.com/product/c-programming-for-dummies-for-
dummies-computer-tech-gookin/
https://textbookfull.com/product/nanocharacterization-techniques-
a-volume-in-micro-and-nano-technologies-osvaldo-novais-de-
oliveira/
https://textbookfull.com/product/trading-options-for-dummies-for-
dummies-business-personal-finance-3rd-edition-duarte/
https://textbookfull.com/product/reading-financial-reports-for-
dummies-for-dummies-business-personal-finance-4th-edition-
epstein/
https://textbookfull.com/product/asvab-for-dummies-johnston/
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Micro‐segmentation
by Matt De Vincentis
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Micro‐segmentation For Dummies®, 2nd VMware Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030‐5774
www.wiley.com
Copyright © 2017 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except
as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior writ-
ten permission of the Publisher. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011,
fax (201) 748‐6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used
without written permission. All other trademarks are the property of their respective owners. John
Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book......................................................................... 2
Foolish Assumptions.................................................................. 2
Icons Used in This Book............................................................. 2
Beyond the Book......................................................................... 3
Where to Go from Here.............................................................. 3
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
iv Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
T raditional approaches to securing data centers have
focused on strong perimeter defenses to keep threats
on the outside of the network — not unlike castle defenses
during medieval times! Towering castle walls were fortified
with battlements and bastions, and access was controlled
with a firewall — uh, drawbridge. For an attacking force,
breaching the perimeter and gaining entry to the castle was
the key to victory. Once inside the castle, defenses were
practically nonexistent, and the attackers were free to burn
and pillage!
The primary issue is that once an attack gets into the network,
there are few controls to prevent threats from moving later-
ally from system to system. The best way to solve this is to
adopt a stricter, more granular security model with the ability
to tie security to individual workloads and the agility to provi-
sion policies automatically. Forrester Research calls this the
“Zero Trust” security model — in other words, the principle
of least privilege applied to the network. Micro‐segmentation
embodies this approach.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
2 Micro-segmentation For Dummies, 2nd VMware Special Edition
Foolish Assumptions
It’s been said that most assumptions have outlived their
uselessness, but I assume a few things nonetheless:
If these assumptions are true, then this is the book for you!
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction 3
This icon points out information that may well be worth com-
mitting to your nonvolatile memory, your gray matter, or your
noggin — along with anniversaries and birthdays!
You won’t find a map of the human genome here, but if you
seek to attain the seventh level of NERD‐vana, perk up! This
icon explains the jargon beneath the jargon!
Thank you for reading, hope you enjoy the book, please take
care of your writers! Seriously, this icon points out helpful
suggestions and useful nuggets of information.
“That depends a good deal on where you want to get to,” said
the Cat — er, the Dummies Man.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
4 Micro-segmentation For Dummies, 2nd VMware Special Edition
If you don’t know where you’re going, any chapter will get you
there — but Chapter 1 might be a good place to start!
I promise you won’t get lost falling down the rabbit hole!
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
Defending the Data Center
on a Broken Foundation
In This Chapter
▶▶Recognizing the impact of data center breaches
▶▶Understanding how attacks exploit the unguarded inside of the data
center
▶▶Identifying the problem with traditional approaches to data center
security
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
6 Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Defending the Data Center on a Broken Foundation 7
Once inside the data center, an attacker relies heavily on the
ability to move laterally in order to expand the attack surface
and achieve the attack objectives.
Figure 1-2: C
2 enables further reconnaissance in the data center.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
8 Micro-segmentation For Dummies, 2nd VMware Special Edition
Figure 1-3: A
dditional C2 infrastructure is installed to ensure persistence as
the attacker moves laterally through the data center.
The attacker can then carry out any desired action against the
target (see Figure 1‐5).
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Defending the Data Center on a Broken Foundation 9
Figure 1-5: T he attacker is then free to perform any desired actions on the
data center objective.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
10 Micro-segmentation For Dummies, 2nd VMware Special Edition
Figure 1-6: P
erimeter‐based security is insufficient in a data center where
security is needed everywhere.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Defending the Data Center on a Broken Foundation 11
using existing technologies, controls, and processes has been
impractical . . . until now. Network virtualization (explained
in Chapter 3) makes micro‐segmentation a reality in the data
center, without needing to change any existing physical
infrastructure.
Figure 1-7: T oday, security is tied to a rigid and complex network topology
that is further complicated by a consolidated, multitier applica-
tion infrastructure.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
12 Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Defending the Data Center on a Broken Foundation 13
✓✓Contributing to firewall rule sprawl and performance
bottlenecks as security administrators are increasingly
reluctant to modify or remove complex rulesets when
workloads are decommissioned, fearful of causing an
outage or security breach
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
14 Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
Micro‐segmentation
Explained
In This Chapter
▶▶Bolstering data center defense inside the perimeter
▶▶Using the software‐defined data center as a weapon against attacks
▶▶Making zero‐trust trust a reality in the data center
▶▶Gaining persistence, ubiquity, and extensibility with micro‐
segmentation
▶▶Recognizing what micro‐segmentation isn’t and the shortcomings of
agent‐based security
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
16 Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Micro‐segmentation Explained 17
Growth of east–west traffic
within the data center
Over the past decade, applications have increasingly been
deployed in a multitier server architecture and east–west
server–server communications now account for significantly
more data center traffic than north–south client–server and
Internet communications. In fact, traffic inside the data center
now accounts for more than 80 percent of all network traffic
in most data centers. These multitier application architec-
tures are typically designed with little or no security controls
restricting communications within each tier.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
18 Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Micro‐segmentation Explained 19
Isolation
Isolation is an important principle in network security,
whether for compliance, containment, or simply keeping
development, test, and production environments separated.
Manually configured and maintained routing, access control
lists (ACLs), and/or firewall rules on physical devices have
traditionally been used to establish and enforce isolation in
data center networks.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
20 Micro-segmentation For Dummies, 2nd VMware Special Edition
Segmentation
Traditionally, network segmentation is achieved with a physi-
cal firewall or router that allows or denies traffic between
network segments or tiers — for example, segmenting traf-
fic between a web tier, application tier, and database tier.
Segmentation is an important principle in security design
because it allows organizations to define different trust
levels for different network segments, and reduces the attack
surface should an attacker breach the perimeter defenses.
Unfortunately, data center network segments are often far
too large to be effective and traditional processes for defining
and configuring segmentation are time consuming and prone
to human error, exposing the network to the possibility of a
security breach.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Micro‐segmentation Explained 21
Automation
Automated provisioning enables the correct firewalling poli-
cies to be provisioned when a workload is programmatically
created, and those policies follow the workload as it’s moved
anywhere in the data center or between data centers.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
22 Micro-segmentation For Dummies, 2nd VMware Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Micro‐segmentation Explained 23
Essential Elements of
Micro‐segmentation
As discussed earlier in this chapter, the hypervisor is
uniquely positioned to provide both context and isolation
throughout the data center — not too close to the work-
load where it can be disabled by an attack, and not so far
removed that it doesn’t have context into the workload.
Thus, the hypervisor is ideally suited to implement three key
elements of micro‐segmentation: persistence, ubiquity, and
extensibility.
Persistence
Security administrators need to know that when they provi-
sion security for a workload, enforcement of that security
persists despite changes in the environment. This is essential,
as data center topologies are constantly changing: Networks
are renumbered, server pools are expanded, workloads are
moved, and so on. The one constant in the face of all this
change is the workload itself, along with its need for security.
But in a changing environment, the security policy config-
ured when the workload was first deployed is likely no longer
enforceable, especially if the definition of this policy relied
on loose associations with the workload like IP address, port,
and protocol. The difficulty of maintaining this persistent
security is exacerbated by workloads that move from one
data center to another or even across clouds (for example, a
live migration or for disaster recovery purposes).
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Another random document with
no related content on Scribd:
come will never more see an epic. One race may grow feeble and
decrepit and be unable to do any more work; but another may take
its place. After a time the Greek and Latin writers found that they had
no more to say; and a critic belonging to either nationality might have
shaken his head and said that all the great themes had been used
up and all the great ideas expressed; nevertheless, Dante,
Cervantes, Molière, Schiller, Chaucer, and Scott, then all lay in the
future.
Again, Mr. Pearson speaks of statecraft at the present day as
offering fewer prizes, and prizes of less worth than formerly, and as
giving no chance for the development of men like Augustus Cæsar,
Richelieu, or Chatham. It is difficult to perceive how these men can
be considered to belong to a different class from Bismarck, who is
yet alive; nor do we see why any English-speaking people should
regard a statesman like Chatham, or far greater that Chatham, as an
impossibility nowadays or in the future. We Americans at least will
with difficulty be persuaded that there has ever been a time when a
nobler prize of achievement, suffering, and success was offered to
any statesman than was offered both to Washington and to Lincoln.
So, when Mr. Pearson speaks of the warfare of civilized countries
offering less chance to the individual than the warfare of savage and
barbarous times, and of its being far less possible now than in old
days for a man to make his personal influence felt in warfare, we can
only express our disagreement. No world-conqueror can arise save
in or next to highly civilized States. There never has been a
barbarian Alexander or Cæsar, Hannibal or Napoleon. Sitting Bull
and Rain-in-the-Face compare but ill with Von Moltke; and no Norse
king of all the heroic viking age even so much as began to exercise
the influence upon the warfare of his generation that Frederick the
Great exercised on his.
It is not true that character of necessity decays with the growth of
civilization. It may, of course, be true in some cases. Civilization may
tend to develop upon the lines of Byzantine, Hindoo, and Inca; and
there are sections of Europe and sections of the United States where
we now tend to pay heed exclusively to the peaceful virtues and to
develop only a race of merchants, lawyers, and professors, who will
lack the virile qualities that have made our race great and splendid.
This development may come, but it need not come necessarily, and,
on the whole, the probabilities are against its coming at all.
Mr. Pearson is essentially a man of strength and courage. Looking
into the future, the future seems to him gray and unattractive; but he
does not preach any unmanly gospel of despair. He thinks that in
time to come, though life will be freer than in the past from dangers
and vicissitudes, yet it will contain fewer of the strong pleasures and
of the opportunities for doing great deeds that are so dear to mighty
souls. Nevertheless, he advises us all to front it bravely whether our
hope be great or little; and he ends his book with these fine
sentences: “Even so, there will still remain to us ourselves. Simply to
do our work in life, and to abide the issue, if we stand erect before
the eternal calm as cheerfully as our fathers faced the eternal unrest,
may be nobler training for our souls than the faith in progress.”
We do not agree with him that there will be only this eternal calm
to face; we do not agree with him that the future holds for us a time
when we shall ask nothing from the day but to live, nor from the
future but that we may not deteriorate. We do not agree with him that
there is a day approaching when the lower races will predominate in
the world and the higher races will have lost their noblest elements.
But after all, it matters little what view we take of the future if, in our
practice, we but do as he preaches, and face resolutely whatever
fate may have in store. We, ourselves, are not certain that progress
is assured; we only assert that it may be assured if we but live wise,
brave, and upright lives. We do not know whether the future has in
store for us calm or unrest. We cannot know beyond peradventure
whether we can prevent the higher races from losing their nobler
traits and from being overwhelmed by the lower races. On the whole,
we think that the greatest victories are yet to be won, the greatest
deeds yet to be done, and that there are yet in store for our peoples
and for the causes that we uphold grander triumphs than have ever
yet been scored. But be this as it may, we gladly agree that the one
plain duty of every man is to face the future as he faces the present,
regardless of what it may have in store for him, and, turning toward
the light as he sees the light, to play his part manfully, as a man
among men.
FOOTNOTES:
[21] The Sewanee Review, August, 1894.
XIV
“SOCIAL EVOLUTION”[22]
FOOTNOTES:
[22] North American Review, July, 1895.