micro segmentation – a perfect fit for microservices
TRANSCRIPT
Microsegmentation – a perfect fit for Microservices security
Anthony Chow@vCloudernBeer
http://cloudn1n3.blogspot.com
VMworld 2015 vBrownBag TechTalk
What is Microservices?It is an architecture for
application deployment Monolithic -> small and
autonomous Deployed as separate service/entity Communicate via network calls
A new trend to deploy application Agile Scalable High Availability
Monolithic vs Microservices (Star Wars version)
Microservices companion technologiesDevOps – share same idea with
Microservices Agile Scalable
Microservices companion technologiesDocker – enables streamlined
Microservices architecture Minimum overhead Quick provisioning
Cloud Native ApplicationMicroservices part of the equation
along with DevOps and Linux Containers for building Cloud Native Application
Application that takes full advantage of the cloud platform. Agile Scalable High Availability
Not a “One Size fit All” solution
Microservices – opens up security riskFrequent and short life spanIncrease east-west traffic Services are not as isolated
What is Microsegmentation?A security feature
Group entities within a network into one unit and to apply rules/polices to control the traffic in and out of the segment.
Concept is not new Miro level not feasible to implement
before network virtualizationSupporting principles
Apply security policy to the smallest granular level
Zero trust security model
Major component for effective Microsegmentation
From an article by Scott Lowe Network independent policy
definition Centralized policy repository Distributed policy enforcement
How does Microsegmentation fit into Microservices security?Network independent definition
Security rule tailor to MicroservicesCentralized policy repository and
distributed enforcement Able to adapt to dynamic and
elastic nature of Microservices
VMware - NSXAn networking and security
solutionSecurity is supported inherently
by its architecture/design: Isolation Segmentation Segmentation with Advanced
Services
Cisco – ACI (Application Centric Infrastructure)
Policy definition separating segments from the broadcast domain
“tags” or “attributes” that identify an endpoint regardless of its IP address
End-point Groups as Microsegmenations
A new chapter in Docker networking - libnetworkStill under development
◦Docker 1.7 (libnetwork rev 0.3)◦Docker 1.8 (libnetwork rev 1.0)
Container Network ModelA plugin model – able to take
advantage 3rd party well developed networking and security infrastructure.
libnetwork- a pluggable interfaceContainer Network Model (CNM)
Sandbox Endpoint Network