How vArmour restores the security perimeter

The vArmour suite of tools is designed, first, to reestablish a software perimeter internally and then to hone the rules and policies that make up that backbone, delving all the way into the realm of micro segmentation.

thinkstockphotos fence 488873591

In the early days of computers, most cybersecurity was configured the same way as physical security, with barriers designed to keep bad people out and authorized users safely inside. The so-called security perimeter consisted of firewalls and other appliances that scanned for malicious traffic and blocked it from entering a protected network. Even once inside, the architecture of most datacenters was built around tiers, where all traffic was forced through aggregation points driven by spanning tree layouts, giving those perimeter defenses more opportunities to monitor chokepoints and enforce perimeter security internally.

Cloud computing and the rise of virtual machines pretty much upended this entire process, destroying or at least severely weakening the concept of a security perimeter. Cloud, by its very nature is nebulous, offering many openings and endpoints for an attacker to exploit. But beyond that, the bigger change happened within the datacenters, which had to abandon their tiered designs to accommodate cloud. Most are deployed in what is known as a spine and leaf design today, which eliminates almost all chokepoints, allowing users and applications to talk directly with one another within the cloud.

This new type of datacenter improves functionality over old designs, giving them the ability to deploy technologies like software-defined networking to expand their capabilities, capacity and bandwidths instantly, and as needed. But it also removes most footholds or chokepoints for perimeter security devices internally, since the network topography is both completely flat and always changing. Attackers who can breach the new, weaker security perimeter, find very few controls or challenges once inside a network. Successful attacks may not be detected for months or years, or perhaps not at all, since they have nearly free reign once implanted inside a network.

For these reasons, the concept of a software defined perimeter was created. In theory, it’s not all that difficult, simply using a software program to monitor internal network traffic to spot anomalies, or users and programs with malicious intent, restoring a sort of chokepoint from the pre-cloud architectures of old. But it’s a lot harder than that. While it’s relatively easy to set up that type of monitoring, knowing what is good, what is bad and what is suspect when dealing with internal traffic is much more complex than when guarding an external gateway. It would be very easy to accidentally lock down legitimate programs, limiting their functionality and killing productivity. And it would be even easier to miss malicious traffic traveling slowly and surreptitiously though the internal network.

Striding into this quandary is vArmour, a suite of tools designed to first reestablish a software perimeter internally, and then to hone the rules and policies that make up that backbone even further, delving all the way into the realm of micro segmentation.

Testing vArmour

The vArmour suite that we tested can be deployed in any environment, including within massive datacenters and, of course, within the cloud. The entire suite is software based, comprised of a virtual appliance deployed within the data path and as a virtual switch which can separate workloads at network layer two for control of multiple micro segments.

The first step in creating the software defined perimeter is to understand how all the programs, users and applications are interacting. No administrator is going to know every valid type of interaction happening within their network, making defining the rules of the new perimeter all but impossible. The vArmour suite compensates for this by first entering into a learning mode whereby all internal traffic is monitored. How much time this takes depends on several factors, but the biggest ones are the size of the network and the diversity of applications and users. Small networks where all users are doing the same basic tasks with the same toolset may only take a couple hours to learn. Huge networks with lots of independent users doing different tasks could take weeks or longer.

vArmour Learning Mode John Breeden/IDG

Before trying to define any type of software security perimeter, it’s important to know how valid traffic behaves. vArmour provides this in learning or tap mode, where internal traffic types and patterns are tightly defined.

After the learning process is complete, vArmour provides a set of helpful policy suggestions that can be implemented to begin defining the new security perimeter without disrupting business operations. So, for example, if certain users are employing an app to do something, like query a database, then that process will be discovered during the learning process and can be defined as an allowed policy with just a click. The security perimeter would be enacted around and between those users and that app. Any new user trying to activate the app, or an allowed user trying to use the app to do something different, such as querying a different database, would have to send traffic across the security perimeter, breaking the rule and triggering some type of action — be it a warning, blocking access, or even routing them into a deception point for further analysis. Adding deception tools is yet another service provided within the vArmour suite.

vArmour Apps Defined John Breeden/IDG

Beyond just defining traffic patterns, vArmour helps to show which traffic is valid and what should be investigated as suspicious before setting up the new perimeters or segmentations. That way, there is no risk of locking malicious traffic on the wrong side of the fence.

Setting up a new software defined perimeter with vArmour was extremely easy on the test network once the learning process was complete. The program also allows for a much deeper interaction beyond that, getting into the realm of micro segmentation, where defined users can employ, for example, very specific protocols to conduct singular tasks, but nothing else. That way, even if a user had their credentials compromised, the attacker would be unable to do much of anything and would get caught as soon as they stepped outside of a very tightly defined ruleset, which of course they would not know.

vArmour Lateral Movement John Breeden/IDG

Once in place, no traffic can hide from vArmour. The program does an excellent job of finding lateral movement of any size, empowering administrators to set up rules blocking potential threats from having free roam inside their network. 

In truth, it might be best to use vArmour to define a software perimeter using blanket policies for most of the network, as it’s very easy to accomplish and does a great job of blocking unauthorized users from moving around internally. And then the program could also provide micro segmentation, with very defined and precise rules and controls to additionally protect the core assets that exist in a much smaller space.

In either case, once configured, The Director part of the program gives a dashboard view of everything happening within the internal network, including any user or app that is trying to break policy rules or pass traffic through a defined software perimeter. This is a very detailed view and can help determine if, for example, vArmour is stopping an actual attack or if policies and perimeters need to be further refined to allow valid users to perform their jobs.

The old security perimeter may be a thing of the past, but clever technologies like those employed by the vArmour suite can help to reestablish them internally, in a potentially more efficient form that meshes with today’s modern cloud computing and software defined architectures. 

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations