Connect with us

Hi, what are you looking for?


Network Security

The Truth About Micro-Segmentation: Healthy Heterogeneity (Part 3)

Civilization is a progress from indefinite, incoherent homogeneity toward a definite, coherent heterogeneity.”  ― Herbert Spencer

Civilization is a progress from indefinite, incoherent homogeneity toward a definite, coherent heterogeneity.”  ― Herbert Spencer

In my prior two posts, I covered the proverbial “bait and switch” of macrosegmentation for microsegmentation and the differences between visibility and application dependency mapping in security. In this concluding post, I want focus on the dangers of “monoculture” in security and computing operations.

Today’s data center and cloud environments have hatched more healthy innovation than we can remember in a generation.  For computing formats, we are in a post-virtualization era, where containers and “serverless” formats are rapidly gaining ground and forced to run alongside legacy approaches.  The maturation of the API economy has resulted in applications that are more dynamic and distributed, spanning multiple data centers and clouds.  To wit, in the past year, I have seen single distributed applications that run within and across over 35 data centers.

So why would anyone choose a data center & cloud microsegmentation solution that are boat-anchored to those fixtures of the client server era, the network and the hypervisor?

Today, there are different types of segmentation architectures: network centric, hypervisor centers, or distributed (e.g., host-centric)

Network Segmentation Architecture

Let’s take a look at each one and review the puts and takes of each approach.

In the Network

Segmentation, whether it is performed in a switch of a firewall, was designed during the era of static workloads and excels in “North/South” traffic flows where “big iron” plays an important role from a throughput or lookup consideration.  Hi capacity firewalls are terrific at filtering inbound traffic by providing granular flow analysis and provide useful for clustered storage and aging legacy computing platforms such as the IBM AS400.

Advertisement. Scroll to continue reading.

The challenges of this model are reliance on proprietary and operational complex hardware, where replacing hardware can prove daunting from a cost or availability perspective.  Hardware solutions do not translate to cloud environments such as Amazon Web Services or Microsoft Azure and the “virtualized” version of hardware solutions – i.e., running on a virtual machine – have serious throughput limitations and create fragility through service chaining or traffic steering challenges.  When can service-chaining be a bullet-proof approach.

Data centers increasingly must be optimized for lateral traffic (approximately 80% of all DC traffic) as speed and agility become the most important drivers for IT and Security teams.  In the new IT economy, applications are the new profit centers while infrastructure remains a cost center.

In the Hypervisor

Segmentation in the hypervisor was designed to filer traffic through hypervisor-attached firewalls or increasing network-virtualization such as VMware NSX.  Each hypervisor has visibility into traffic flows and can enforce security policies locally.

The benefits of such an approach range from visibility into overlay software-defined networks and prevention of policy traffic before it hits the physical network.  In homogenous environments, hypervisor-centric segmentation can provide programmable APIs that eliminate some of the manual work associated with firewall management.

The limitations however are well understood:

• Poor support for legacy servers, NAS, bare-metal, containerized or public cloud workloads

• Limited support for heterogeneous virtualization environments

• No knowledge of processes or services initiating traffic

• Adds additional Hypervisor overhead

• Potential scale limitations, including Application Dependency Mapping 

Distributed Segmentation

The newest form of microsegmentation is derived from an overlay approach that is decoupled from the infrastructure yet takes advantage of packer filtering in the operating system (e.g., Windows Filtering Platform, iptables or Berkeley Packet Filters in Linux) or other devices (layer 4 firewall in load balancers, ACLs in network switches).  This approach helps security professionals to craft policy centrally and distribute enforcement for scale.

The benefits of this approach include: 

• Complete application visibility, regardless of underlying infrastructure

• Insight into processes and services establishing connections

• Bare-metal, VMs & containers; On-prem and/or in the cloud

• Stops out of policy traffic before it hits the physical network

• Integration into heterogeneous environments

• Programmable APIs

Limitations include lack of need in smaller single vendor customers with 100% virtualized workload and perceived concerns with agents installed for telemetry collection. 

If your world is increasingly distributed, dynamic, heterogeneous and hybrid, the architectural choice is clear. 

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.