microsegment.io

Bill Cheswick, a pioneer in internet firewalls got, besides establishing what we today know as the perimeter firewall, famous for the below quote to describe his ideas on perimeter firewalls:

A sort of crunchy shell around a soft, chewy center.

The quote and metaphor is still used a lot by security professionals around the world, to describe the state of the internal network behind the perimeter firewall.

A crunchy shell in the 1990s was exactly the thing you needed to be more secure from the threats found at that time. A lot of it was attacks against servers, buffer and heap overflows on services directly exposed to the internet when not consumed directly from the internet. People could easily DoS or even better, hack, those services. Exposed sendmail servers been a huge target at that time. Everything was exposed and routed, it is hard to imagine today. The perimeter firewall did a great job and shielded the vulnerable services from the evil internet and helped to secure them from the outside world. The internet grew exponentially and threats changed quite significantly and we all know that most threats today focus on endpoints rather than datacenter services as a entry vector.

Packet Pushers Tech Bytes about Network Segmentation with Tufin

A new week, a new Tech Bytes Packet Pushers podcast. This time Tufin markets their policy management, which was a interesting show, but i have some comments.

• i think it’s a valid point to say that automated firewall policy management can make a business more agile, especially considering how long the change process normally takes and how we do it today
• the whole point about understanding the topology sounds like this is really very slow to implement
• it’s hard to get any visibility from what i hear and how i understand the Tufin platform
• Zoning or very wide segmentation is nice, but what you really want is to be able to do finer grained segmentation without modifying or rearchitecting the network
• relying on hardware firewalls will never be able to free you from the constraints of those devices, especially throughput limits, the hardware cycle that will just happen every three or five years and the inability of a firewall to really be point to point and not zone to zone
• i would assume that the integration of this is very hard, thanks god it is usually owned by just one team, but what about outsourcers and system integrators?

Nice article from Sage Data Security on why network segmentation is important.

One of my favourite networking podcasts, PacketPushers has a great episode on integrating Cisco ACI and VMware NSX at the same time.

I really enjoyed listening to this episode, one reason for sure was that Derek Wilson seems to be a really nice and knowledgeable person, but the other is that he shared some valuable insights into deploying ACI and its uses for big companies.

My key takeaways from the episode are:

The US NIST published a great guide on a zero trust architecture that definitely is worth reading and details the elements, deployment and deployment scenarios and reference to other material to help people get started with zero trust.