What’s the Best Way to Secure East-West Traffic?

I’ll start of by saying that I don’t know the answer to this question. Disappointing as that might be, I think it’s fair to say that neither does anyone else right now.  Sure, there are lots of models being proposed but I’m not seeing a consensus amongst vendors or customers. So why bother writing? Well it’s an interesting topic and I’m fresh from being a Socratic observer of a beer and tater tot (google it non-US based readers, they are wrong, but they are good) fueled ‘debate’ between two of my colleagues who are far more knowledgeable than me. What I managed to establish though my usual habit of asking dumb questions was this:-

1) There is a clear need for appropriate east-west application traffic control. Lots of the high profile attacks have breached the security perimeter in one location and spread horizontally to high value systems.

2) There are a number of ways to remediate this weakness

3) Without better application traffic flow visualization and more automated policy management, they are all going to suck.

 

So whether you believe that the way to solve this issue is ‘micorsegmentation’ – deploying firewall-like technology to secure traffic on  source:destination:port between all machines or that a robust trust mechanism using digital certificates to establish identity between devices is best, it’s pretty clear to me that you’re not going to be managing it in a spreadsheet. Furthermore to make the whole thing workable the config has to be tied to the application and exist in that context, not in the context of the infrastructure components providing the service – or every time you shift an application around you are going to have a huge reconfiguration headache. Your security configuration is going to have to be driven from the same orchestration system that manages the rest of the infrastructure. To add another requirement in here, unless you are a lucky enough to be designing a ‘green field’ environment you are going to need tools to accurately map and classify the data flows in your infrastructure, and then use that data to drive the policy creation.  It’s all going to have to hang together – which implies a set of robust and comprehensive API’s. The good news is that all the buzz around software defined data centers is helping drive some of the integration we are going to need. The bad news is that I don’t see that it’s there yet.

So in summary: Deciding the controls to use in your east-west security is only (or maybe less than) half the battle. Finding automated ways to create, deploy and update the policy is going to be a challenge all security vendors, F5 included, will need to meet. Oh and tater tots and IPA make for a lively conversation.