in this video will cover defense and depth, walk through a micro segmentation example
and discuss the software defined perimeter
micro segmentation, sometimes referred to as hyper segregation, is a way to design the flow of traffic within your virtual networks. The goal of all this is to isolate the blast radius in the event of a breach or compromise.
The better the segmentation, the more barriers an attacker needs to go through.
Think about the original incantation of defense in depth. For millennia, people have built forts and castles that have moats or they're up on hills and then they've added walls. And then they've added gates. And they have all these different barriers for an attacker to go through.
Looking at the diagrams here, you can see how things are set up so the tears of the finance application are segmented. You then add security rules to each category of servers along the way and specify things like the A P I services will only accept traffic from Web client machines
Onley certain AP I service machines can talk to certain data stores.
In order for an attacker to get to a data store, they have to move through a specific path between the various machines, starting with Web going to the A P I and then going, say to the document db
stepping back a bit further. We can also see that even if somebody does compromise the finance app and they make their way through all those layers, the HR application is on a completely separate network. It's been isolated, so if the attacker wants to penetrate the HR app, they're basically going to be starting the process all over again.
Some closing thoughts on micro segmentation
The cloud providers capabilities we've discussed regarding policies network security groups, network Ackles would have you there all free, at least from the dollar standpoint. At the same time, complex micro segmentation does carry an operational cost, and it's something that you need to manage and keep track off
shifting gears slightly. Let's review the topic of a software to find perimeter. You will likely get some questions about this on the exam, and the technology itself is growing in popularity.
Developed by the C s, A software to find perimeter combines both the device and user authentication to provisioned network access across resource is dynamically. It's a big mouthful, but let's break it down. SDP consists of three main components that you can see on the diagram.
First, we have the SDP client. This is an agent and it's installed on a device.
Then we have the SDP controller. This authenticates and authorizes STP clients based on both the device and user after tributes.
Who are you and what are you using and where you accessing from
the STB Gateway then serves to terminate as to be client network traffic and enforce policies in communication with the SDP controller.
So we have the device and you they're off information gets sent to the controller. The controller is communicating with gateways, and it's allowing or denying the connections between that device and the gateways.
This approach is an alternative to traditional VPN setups. When you want to allow employees to connect their laptops and other devices to resource is running within a private corporate, our enterprise network.
Major growth drivers of this include the rising need for policy based security architecture to reduce network complexities and the increasing demand for cloud based applications.
This technology is often used to implement zero trust networks, which you will frequently hear about in many enterprise security circles. Popular vendors include Checkpoint Z Scaler, Cisco Net Foundry and many others.
In this video, we reviewed the time tested philosophy of defense in depth. Then we looked at a micro segmentation example that was realizing the defense in depth philosophy by controlling network traffic through many, many barriers.
And finally we discussed software to find perimeter, and it's used in creating zero trust networks and as a popular alternative to the traditional VPN.