Microsegmentation: How to implement rules and avoid roadblocks
It’d be an easy assumption that implementation should be the simplest part of the microsegmentation process.
While creating a thorough plan and conducting in-depth analysis will make implementing your rules easier, this process is actually meticulous and cyclical – just because you’re finally applying the rules doesn’t mean you’re finished. You’ll need to continue to monitor and collect data to ensure everything is working the way you expected, and more than likely you’ll need to go back and fix things along the way.
Implementing your rules is as detail-oriented as the planning and analysis was, so you’ll need to follow a defined process. In the final part of our three-part series, we’ll walk you through how to do exactly that.
How to implement microsegmentation rules
After your team has gathered all the data and information from the analysis phase, it’s time to put the rules in place where you’ve determined they need to be.
When you start applying the rules, do so only from a logging perspective at first. Starting with logging rules allows you to collect the data to make sure the rule is behaving the way you expect it to before it actually affects applications.
Focus on one application at a time and log a full cycle of data. For example, if it’s an application that runs once a week at a determined interval, you want to collect a full week’s worth of log data. If you already utilize a test environment, test these rules in your sandbox before applying them to production.
Once the rule has been in place for a full cycle and seems to be working the way you planned, flip the switch, but continue to log all data coming to and from that application. You still want to be notified of any blocks occurring.
This helps you be proactive in the long run: If you receive a notification that something was incorrectly blocked, then you can preemptively catch on to these issues before they affect any end users.
After this, it’s wash, rinse, repeat. Follow the same process with each individual rule, and make sure to never take your eye off of those blocking notifications.
Implementing microsegmentation requires you to move slow and be fastidious. Even if you’re dotting every i and crossing every t, you can run into some typical issues that crop up. Here are the most common ones you might encounter and how to solve them.
- You have an application that just isn’t behaving the way you expected it to. This is mitigated by exhaustive front-end analysis and thorough logging. If you don’t understand the way an application works, you can inadvertently derail your applications and cause blocks where they shouldn’t occur.
- You don’t give yourself enough time. Short timetables are the enemy of successful microsegmentation. This happens when leadership doesn’t have a clear understanding of the project scope, or an organization just wants it finished quickly, forcing the engineering team to cut corners. Don’t cause an outage by rushing through the process. Take your time.
- You’re in the mindset of “it works, don’t touch it.” It’s understandable that after the lengthy and stressful procedure of completing microsegmentation that you might want to wash your hands of it and call the project a success. In reality, there needs to be some type of review process in place. Applications change over time, processes change over time, your organization grows, and your firewall rules need to evolve alongside those changes. Cleaning up old information and rules that eventually become obsolete also increases performance.
- You don’t have a step in your change management to verify rules. This piggybacks off the last point, but you need to take the time to double check that your rules are a) still working and b) still necessary. It’s easier to see what rules are applied to an individual virtual machine with NSX than it is to identify and clean up traditional firewall blocks based on ports or IP addresses. Break up the rules into chunks and look at smaller subsets on a regular basis against a pre-determined cycle to keep your microsegmentation plan up-to-date and running smoothly.
Don’t forget to document
There’s one common thread throughout this whole process that will make your life easier: documentation. If there’s one thing you take away from this post, it’s to document more, document often, and document all the details.
As you go through implementing your rules, documenting why the rule was placed, how it was placed, and any and all errors, repairs, and modifications will allow for more organic growth and an easier transfer of responsibilities.
If you don’t have time to document everything at once, divide and conquer. Documentation is often everyone’s least favorite topic, but in the case of microsegmentation, it’s one of the more important steps.
Finish the process
Starting the microsegmentation journey can be intimidating, the analysis phase can be overwhelming, and the implementation phase may just feel repetitive. But by the end of it all, you’ll have strengthened your organization’s security, streamlined application communication, and made a detailed map of your network and the applications within it.
Want to learn more about how to get started with microsegmentation? Send any questions or comments to me at Benjamin_Hinkle@SHI.com.