Application Protection

Protecting Critical Shared Services
Secure key shared network services and reduce risk
Shared services power the the network and need to be protected

Enterprise IT runs on key shared services such as Domain Name System (DNS), Microsoft Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Windows Domain Controller, to name a few, that underpin all network and infrastructure operations. That is, these services provide entry points to critical assets that if exploited can cause irreparable damage to an organization’s business and brand. For example, DNS is a pervasive service that if compromised can create website outages, launch a distributed denial of service attack (DDoS), or re-route requests to a fraudulent website. DNS was designed for usability, not security, unlike DNSSEC (Secure DNS) which still does not have widespread deployment. Traditional perimeter firewalls leave port 53 open for DNS queries and are not equipped to recognize well crafted attacks using DNS protocol, like Reflection, Cache Poisoning, or Tunneling.

AD is another critical service that many of today’s enterprises use as their enterprise directory or as the network OS (NOS) directory for their Windows infrastructure. AD is the foundation of the security infrastructure in any Windows environment. If an attacker compromised an AD server, the attacker could access user credentials, elevate their permissions, and move freely across the network to identify high value assets to exfiltrate.

AD and Internal DNS servers reside behind the DMZ in the data center. Perimeter firewalls at the network boundary allow traffic to enter the data center by opening ports for specific applications and traffic types as defined by the firewall administrator. The problem with this approach is that unauthorized users can disguise their attacks and use these open ports (for DNS or AD) to gain a foothold in the data center, and then move laterally to compromise other assets. Examples include: tunneling malware across DNS payload, leveraging stolen credentials (via phishing attack) to access AD, and escalating privileges to gain unfettered access to other critical assets.


The vArmour Solution

vArmour is a distributed security platform built entirely in software with a scale out architecture. It offers complete L7 visibility, segmentation and microsegmentation capabilities, application aware security policy creation and enforcement close to the workload. vArmour’s approach to secure critical services is to wrap protection around each critical service with zero trust policies. This means, by default, all communications to and from the asset is blocked except for allowed applications and transactions over a defined path.

Figure: Protect critical services by micro-segmenting
Layer 7 Visibility

Visibility is the key to designing effective security policies. vArmour DSS provides full layer 7 visibility which shows applications and processes that are accessing critical services and identify suspicious traffic. This is critical for detecting protocol and payload anomalies and in identifying threats and exploits. Being able to fingerprint applications and identify traffic through application ID is the first step in devising effective security policies and enforcing them close to the workload.

Separate critical services from other applications

Microsegmentation allows each critical service to be segmented from other parts of the infrastructure and limits a potential breach to only one asset, thereby reducing the chances of an attack spreading laterally across the data center from a compromised asset to the host running critical service. It is imperative to break this large attack surface into very small segments that host a single service with stringent policy controls. Forensics done on past breaches shows that many of the attacks originated in one part of the data center on a non-critical or neglected asset, waiting for an opportune time to gain access to critical services. With microsegmentation, this behavior is identified in real-time and and defined security policies block or redirect the traffic.

Automate segmentation for new workloads running critical services

vArmour can integrate with any API driven system of record to automate microsegmentation and simplify policy creation and management. Full featured JSON/REST API’s can be leveraged to seamlessly integrate with third party orchestration systems and DevOps tools like VMWare vRealize Orchestrator, Puppet, Chef, Kubernetes and others. Using these API’s, operators can streamline security policy creation and management by embedding security policies into DevOps process to speed application delivery. Enabling “Auto Microsegmentation” in vArmour DSS, allows an administrator to automatically micro-segment new workloads and move it inline for policy enforcement, providing instant protection without administrator interaction. When a new critical service instance is created (example, additional local DNS server in a new branch office), security policies can be made part of the DevOps workflow and make it DevSecOps. This ensures that the new service instance will inherit the same global security policy applicable to similar assets in the network.


Benefits
  • Secure critical services by putting the servers running those services in a separate segment
  • Reduce risk by separating critical services from other data center assets
  • Protect valuable assets by micro-segmenting the flat DC network and applying security policies