It’s a network jungle these days with predators relentlessly searching for ways to infiltrate corporate resources. IT leaders are responding with a variety of different microsegmentation approaches, all designed to isolate workloads from each other and prevent unauthorized lateral movements. We asked three enterprises to share why they deployed microsegmentation technology in their networks and how it’s working. Here are their stories.
Distributed firewalls via VMware NSX
Todd Pugh, CIO at food products manufacturer SugarCreek, manages a fully virtualized private data center. Like his counterparts at organizations worldwide, his goal is simple: to frustrate and deter network attackers. “Above all, we protect our databases,” he says. “We do anything and everything to keep uninvited guests out of our databases.”
These days, that requires more than traditional perimeter protection. “In the early days, everything was protected from the outside-in using firewalls at the edge,” Pugh says. As attackers refined their skills, basic edge protection could no longer be counted on to provide effective protection. “We discovered that firewalls needed to be closer to the data,” he says.
The solution is to break the infrastructure into microsegments, with a firewall guarding each resource. “Our approach is using VMware NSX, which lets us put a distributed firewall right next to each application or VM,” Pugh says. “With microsegmentation we protect our infrastructure at every layer of the stack so that if something ultimately happens, any sort of breach could potentially be confined to just that one layer.”
Pugh believes that multiple microsegments, each guarded by a firewall, is the best way to defend against attacks without compromising performance. “The beauty of the distributed virtual firewalls is that if virtual machines need to communicate, and they are on the same host, then the traffic never leaves the host,” he observes. “It shortens the path to get between the data.”
The speed improvement has been impressive. “You’re going from gig speeds of the network to bus speeds of hosts, which is dramatically faster,” Pugh says. “Then, as things move to the cloud, we’ve already established firewalls within NSX, so if we move things from our data center to a cloud, be it a hyperscaler or a public private cloud, the firewall rules follow the application.”
READ MORE HERE