Micro isolation （MSG）

Reference article ： use " Micro isolation " Achieve zero trust
Reference video ： Not just firewalls ！ Zero trust with micro isolation

Definition

Micro isolation （Micro Segmentation）, Micro isolation is a network security technology , Its core capability requirement is to focus on the isolation of East-West flow , It enables the security architect to logically divide the data center into different security segments , All the way to the various workload levels , Then define security controls and services provided for each unique segment .
More software methods , Instead of installing multiple physical firewalls , Micro isolation can deploy flexible security policies deep in the data center .

Data flow
North South flow ： Refers to the traffic entering and leaving the data center through the gateway , Generally speaking, the firewall is deployed at the exit of the data center , To protect the north-south flow
East West flow ： It refers to the internal traffic caused by the mutual access of servers in the data center , According to statistics , Contemporary data centers 75% The above flow is East-West flow

form

Different from the traditional firewall isolation on the single point boundary （ Both the control platform and the isolation policy execution unit are coupled in a device system ）, The control center platform and policy execution unit of micro isolation system are separated , Distributed and adaptive ：

Strategic Control Center ： It's the central brain of the micro isolation system , You need to have the following key abilities

1. It can visualize the access relationship between internal systems and business applications , The platform users can quickly sort out the internal access relationship ;
2. According to the role 、 Multi dimensional tags such as business functions quickly group workloads that need to be isolated ;
3. The ability to flexibly configure the workload 、 Isolation strategy between business applications , Policies can be configured and migrated adaptively according to the working group and workload .

Policy execution unit ： The unit of work that implements traffic data monitoring and isolation policies , It can be a virtualization device or a host Agent.

Implementation method

1、 be based on agent The client implements micro isolation

This mode requires one on each server's operating system agent.Agent Call the host's own firewall or kernel custom firewall to control the access between servers .
The Red Square on the right is the management platform , Responsible for developing strategies , To collect information .

advantage ： It has nothing to do with the bottom , Support containers , Support cloudy .

shortcoming ： Must be installed on each server agent client . Some people worry about resource occupation , Worry about affecting existing business .

2、 Realize micro isolation based on cloud native capabilities

Use the firewall function of the virtualization device in the cloud platform infrastructure for access control .

advantage ： The isolation function and infrastructure are provided by the cloud , So the compatibility between the two is better , The operation interface is similar .

shortcoming ： It is impossible to conduct unified management and control across multiple cloud environments .

3、 Micro isolation based on third-party firewall

Use the existing firewall for access control .

advantage ： Network personnel are familiar with , There is intrusion detection 、 Anti virus and other functions .

shortcoming ： The firewall itself runs on the server , Lack of control over the underlying .

Ability

• Business flow is fine-grained and visible ： Main engine room 、 The traffic between business systems is visible
• Reduce internal attack surface ： Reduce the exposure of internal interface permissions , Reduce the attack area
• Business based policy creation ： Eliminate network structure , To improve the policy creation process
• Divide isolation domains flexibly ： Configure environment isolation 、 Business isolation 、 End to end isolation strategy
• Centralized visual management of security policies ： Realize the matching of security policy and workflow through the management interface

advantage

• Policy model ： Business oriented fine-grained definition of East-West boundaries
• Strategy execution ： Automation adapts to business changes rather than manual static configuration
• Strategic management ： From decentralized management to centralized management

Implementation steps

1. Defining assets ： assets （ service 、 Business, etc ） grouping ; Group logically
2. Sort out the business model ： Service security domain identification ; Network traffic self-learning 、 Self discovery 、 Self describing service security domain
3. Design micro isolation grouping ： Security policy group 、 System security domain 、 Tenant security domain 、 Business security domain
4. Implement protection ： Execute the block according to the policy 、 release ; Add a new load and add a domain automatically
5. Continuous monitoring ： Quickly discover internal penetration 、 Traverse 、 scanning 、 Extortion, virus spreading, etc ; Block log 、 Abnormal behavior alarm