Network segmentation is a concept that dates back to the start of enterprise IT systems. The simplest demonstration of this is separating application and infrastructure components with a firewall. This concept is now a routine part of building data centers and application architectures. In fact, it’s nearly impossible to find examples of enterprises without some network segmentation model in place.
More recently, many have stated that microsegmentation is sufficient to secure these services. Microsegmentation techniques provide granular point-to-point traffic restrictions between services and can be user-session aware. But the modern concept of network segmentation is more than source and destination restrictions. Best practices for network segmentation require the following capabilities:
Intrusion detection and prevention systems (IDS and IPS) to detect and block malicious traffic based on known CVEs, behavior-based patterns and industry intelligence
Antivirus and malware detection to detect and block virus and malware behaviors within traffic
Sandboxing to execute and process traffic in a “safe” virtual environment to observe the results before passing it on if it’s valid traffic
Web application firewalls to detect and block application-based threats
Distributed denial-of-service (DDoS) protection to block brute-force and denial-of-service attacks
SSL decryption and monitoring to gain visibility and be able to respond to traffic
In an on-premises scenario, next-generation firewalls provide most of these capabilities. Ideally, the firewalls only allow traffic on valid ports. But regardless, these firewalls can inspect traffic on all ports, including the open valid ports (e.g., 80, 443) to ensure malicious behaviors are being transmitted.
In an Amazon Web Services (AWS) environment, there is nothing that provides these capabilities between services, but there are many capabilities that can be combined to do so. These threats must be mitigated through careful security configur ..
Support the originator by clicking the read the rest link below.
