Network segmentation is not a new concept in security. It’s been around for a while and is considered one of the most effective methods of limiting the “blast radius”, i.e., preventing extensive damage in case of an attack or a breach by limiting the attacker to a sealed-off segment of the network. In the era of APTs and socially-engineered attacks, many organizations work under the assumption that their network has been penetrated to some degree, and segmentation is there not to prevent attacks but to limit their damage.When physical, static-IP networks were all we had, segmenting them was relatively easy.
Then VMs came along, and everything became dynamic, and software-defined and a lot more complicated, giving rise to micro-segmentation. The big difference was that now you had to be aware of which VMs are running the application in order to provide adaptable segmentation.
Containers completely change networking once again. There are several significant differences:
So how do you decide what are the legitimate network connections that a container should have? Ultimately, the application context is what should determine it. In the world of containers, orchestrators often define the application boundaries, e.g., Kubernetes pods.
Aqua creates nano-segments automatically based on container metadata and activity. Each container invoked by an orchestrator is automatically assigned to a logical service.
To define a nano-segment Aqua simply monitors the network activities of the service in a runtime environment - this could be a testing, staging, or product environment. This monitoring identifies all the inbound and outbound network connections of the containers within the service, including to/from other containers, services, IP addresses and public Internet access.
Watch this brief demo to see it in action:
Once Aqua concludes that the network topology has been identified, with no new connections being formed, it automatically creates a security policy that captures all of those interactions, essentially whitelisting them as legitimate connections. This policy will follow the service where it goes, regardless of physical location, orchestration tools, or network overlays.
With nano-segmentation in place, containers will be prevented from accessing resources outside their respective nano-segments, and such attempts will also generate alerts and audit events.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.