Step 2 to microsegmentation: Assessing your network function
If you’re not sure exactly how much data exists within your organization, where it goes, and what applications use it, welcome to the club.
You’re definitely not alone in having this blind spot. But if you’re planning for microsegmentation, you’ll need to see exactly how it all flows.
After putting together your plan, the next and perhaps most crucial step in microsegmentation is assessing how your network functions: What data exists within it, where does it pass through, and what applications use it? If you work at a large organization, this can be a tall order.
Luckily, you don’t need to pore over thousands of data points with a magnifying glass. There are tools that analyze and document data processes for you, and using them can make the difference between success and failure.
Why assessment is so crucial to microsegmentation
Organizations tend to get three things wrong when microsegmenting their network: They a) skip the assessment stage completely, b) analyze too much data at once, and c) don’t assess their network thoroughly.
Don’t skip from your planning stage to writing the rules – that’s a recipe for incorrect rules. Rather, validate your rules with actual evidence of your compute situation to catch weak spots early on and mitigate disastrous situations like blocking the wrong data, stalling operations, and causing applications to fail.
When digging into data, focus on one application at a time, and then focus on the data communication for that application. Working through the assessment phase is easier when you compartmentalize.
Monitoring your network during the workday is important for data tracking, but did you check the logs from a 24-hour period? How about the weekend? And what about those month-end jobs? You want a full-scale snapshot of your data to document any intervals and variables, so monitor and log your network activity 24/7.
There are several tools that can help ensure accuracy and efficiency during this process, with varying levels of automation depending on what you can afford.
Tools of the trade
Note that we’re working from the perspective that your organization is already leveraging a vSphere infrastructure.
vRealize Network Insight. This is probably the best tool for assessing. It uses the communication between distributed switches and/or NSX to track conversations between all the virtual machines in an environment. Using these paths of communication, vRealize Network Insight documents flows of data to identify specific lanes of traffic between each virtual machine and the internet, including what pit stops the data takes along the way. Once vRealize Network Insight determines each path, it generates an interactive, color-coded wheel to visually illustrate how the data travels.
When vRealize Network Insight works in conjunction with NSX, it has the ability to create the firewall rules for you, and provides suggestions on where to place other rules. When used correctly and effectively, vRealize Network Insight is a valuable tool that takes on about 40 percent of the work for you.
The downside? A big price tag. While it’s straightforward to use and provides a quick turnaround on the investment, the cost may be a deal breaker. If so, there are other useful options.
NSX’s packet capture tool. If you have VMware NSX, there’s a built-in packet capture tool that lets you put a sniffer on specific VMs. That way you can capture where network traffic is going to and coming from for each one. Similar to any other sniffer on a physical network, it gathers packets, and you can then build your own manual map of the paths.
Exporting the data into the freeware tool Wireshark for analysis allows you to search through and hone down a massive amount of information. How long the process will take depends on what role the VM plays. If it governs a month-end process, for example, you might need to gather data for a full month to understand the full scope of the traffic.
vRealize Log Insight. This tool creates a GUI interface to easily search through data collection logs. Once you set up test firewalls to only filter and not block, you can log and track data movements. There is a downside to vRealize Log Insight: Truthfully, it’s not meant to be a packet capture tool. It works for microsegmentation, but it’s like using the handle of a screwdriver to hammer in a nail: It works, but it’s not the most efficient tool. It’s also important to note that vRealize Log Insight does not operate on physical machines.
Snort. If your budget strictly controls your software options for microsegmentation, this is basically an open source syslog collector. It analyzes traffic and documents it. It’s a helpful open collection tool, but it’s hefty to install and not something for small shops.
What happens next?
It’s true that assessing all the data on your network can be a time-consuming process; however, if you want a successful network microsegmentation, using the right tools to conduct exhaustive data analysis is essential.
Let’s review: You’ve made a plan and documented your network traffic. Now, it’s time to implement the pre-determined rules. In this series’ final post, we’ll cover the ultimate step in the microsegmentation process: implementation.