How vArmour restores the security perimeter

The vArmour suite of tools is designed, first, to reestablish a software perimeter internally and then to hone the rules and policies that make up that backbone, delving all the way into the realm of micro segmentation.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

In the early days of computers, most cybersecurity was configured the same way as physical security, with barriers designed to keep bad people out and authorized users safely inside. The so-called security perimeter consisted of firewalls and other appliances that scanned for malicious traffic and blocked it from entering a protected network. Even once inside, the architecture of most datacenters was built around tiers, where all traffic was forced through aggregation points driven by spanning tree layouts, giving those perimeter defenses more opportunities to monitor chokepoints and enforce perimeter security internally.

Cloud computing and the rise of virtual machines pretty much upended this entire process, destroying or at least severely weakening the concept of a security perimeter. Cloud, by its very nature is nebulous, offering many openings and endpoints for an attacker to exploit. But beyond that, the bigger change happened within the datacenters, which had to abandon their tiered designs to accommodate cloud. Most are deployed in what is known as a spine and leaf design today, which eliminates almost all chokepoints, allowing users and applications to talk directly with one another within the cloud.

This new type of datacenter improves functionality over old designs, giving them the ability to deploy technologies like software-defined networking to expand their capabilities, capacity and bandwidths instantly, and as needed. But it also removes most footholds or chokepoints for perimeter security devices internally, since the network topography is both completely flat and always changing. Attackers who can breach the new, weaker security perimeter, find very few controls or challenges once inside a network. Successful attacks may not be detected for months or years, or perhaps not at all, since they have nearly free reign once implanted inside a network.

For these reasons, the concept of a software defined perimeter was created. In theory, it’s not all that difficult, simply using a software program to monitor internal network traffic to spot anomalies, or users and programs with malicious intent, restoring a sort of chokepoint from the pre-cloud architectures of old. But it’s a lot harder than that. While it’s relatively easy to set up that type of monitoring, knowing what is good, what is bad and what is suspect when dealing with internal traffic is much more complex than when guarding an external gateway. It would be very easy to accidentally lock down legitimate programs, limiting their functionality and killing productivity. And it would be even easier to miss malicious traffic traveling slowly and surreptitiously though the internal network.

Striding into this quandary is vArmour, a suite of tools designed to first reestablish a software perimeter internally, and then to hone the rules and policies that make up that backbone even further, delving all the way into the realm of micro segmentation.

Testing vArmour

The vArmour suite that we tested can be deployed in any environment, including within massive datacenters and, of course, within the cloud. The entire suite is software based, comprised of a virtual appliance deployed within the data path and as a virtual switch which can separate workloads at network layer two for control of multiple micro segments.

To continue reading this article register now