the microsegment

segment all the things

Thoughts on the Attack matrix for Kubernetes

This is just a datacenter

Introduction In a recent blog post Yossi Weizman talks about the Attack matrix for Kubernetes and i had a couple of thoughts about it. As Yossi rightly says, Kubernetes is becoming a vital part in the compute stack of many companies. What i hear in my network and during sessions with IT security teams is that they face new challenges with Kubernetes-based orchestration platforms. The container platforms are also perceived like a black box for traditional networking and IT security folks, so it makes sense to understand the security risks that are inherent to those platforms first.

The Service Mesh

What Every Software Engineer Needs to Know about the World's Most Over-Hyped Technology

Whenever you hear people speak about containers and container networking, there is a high chance of the Service Mesh coming up as a topic. It is a real hype and while being on the twitters i discovered this great article by William Morgan of @BuoyantIO, the creator of Linkerd. William does a great job of explaining the technology, the use cases, what to use it for and what not and i have a couple of comments to add:

Mitre ATT&CK and Segmentation

When people think about their strategic IT security projects, they often think of the last incident they were affected of and try to mitigate that, often by using technology only. This is a valid approach and probably is not so wrong, because we often see waves of incidents rolling in, the wannacry wave, other ransomware waves, certain exploit kits or malware waves. So it makes some sense to concentrate on those threats when they happen.

The importance of outbound policy

Bill Cheswick, a pioneer in internet firewalls got, besides establishing what we today know as the perimeter firewall, famous for the below quote to describe his ideas on perimeter firewalls: A sort of crunchy shell around a soft, chewy center. The quote and metaphor is still used a lot by security professionals around the world, to describe the state of the internal network behind the perimeter firewall. A crunchy shell in the 1990s was exactly the thing you needed to be more secure from the threats found at that time.

Implementing Sensible Network Segmentation

Packet Pushers Tech Bytes about Network Segmentation with Tufin A new week, a new Tech Bytes Packet Pushers podcast. This time Tufin markets their policy management, which was a interesting show, but i have some comments. i think it’s a valid point to say that automated firewall policy management can make a business more agile, especially considering how long the change process normally takes and how we do it today the whole point about understanding the topology sounds like this is really very slow to implement it’s hard to get any visibility from what i hear and how i understand the Tufin platform Zoning or very wide segmentation is nice, but what you really want is to be able to do finer grained segmentation without modifying or rearchitecting the network relying on hardware firewalls will never be able to free you from the constraints of those devices, especially throughput limits, the hardware cycle that will just happen every three or five years and the inability of a firewall to really be point to point and not zone to zone i would assume that the integration of this is very hard, thanks god it is usually owned by just one team, but what about outsourcers and system integrators?

Sage Data Security on why network segmentation is important

Nice article from Sage Data Security on why network segmentation is important.