In enterprise data centers, firewalls have been the essence for the networking and security of the applications that run on them. It started with Access Control Lists (ACLs), which provided rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. After ACLs, macro-segmentation came along to provide IP based enforcement for every application that runs on a host. This enabled granular level controls for enterprise administrators to protect their workloads based on VLANs.
With network virtualization, micro-segmentation has turned around the networking and security space by providing the ability to enforce distributed firewall rules across hosts in the datacenter based on L4-L7 network services and attributes. There are new firewalls which have the capability to perform deep packet introspection in the transport layer and include Web application filtering, Verb based firewalls and URL filtering.
FIG. 1 shows the current workflow for specifying firewall controls for micro-segmented applications. As shown, the administrator has to first define (at 105) an intent as to which application they would like to secure. Based on the intent, the administrator has to create (at 110) domains and groups to define the boundaries of each component of the application. Once the groups are created, the administrator then defines (at 115) how these components can communicate with each other based on a communication profile.
After the profile and groups are created, the resulting policy is published at 120 to the software defined datacenter (SDDC) network managers 150. After publishing the policy, the administrator has to then login to the network manager for every instance of the datacenter the manager controls and create (at 125) the networking and security groups based on the grouping criteria specified in the creation of the domains and groups. The criteria could be based on logical switch ports, tags, or VM/container names.
The administrator then has to manually manage (130) the workload VMs/containers by applying the corresponding tags so that they match the criteria during the creation of the network and security groups at 125. When the tag matches the criteria, the firewall rule defined in the communication profile is then applied (at 135) to respective VMs.
This approach has several shortcomings. For instance, the management of grouping criteria (Tags, VM name etc.) is manual and cumbersome. This is particularly problematic as this management has to be repeated across multiple environments (e.g., development, staging and production). In addition, discovery and classification of the applications is an administrative overhead and is often error prone. This approach is also not scalable for dynamic workload (e.g. Container) environments when the entities being protected are ephemeral in nature