North-South and East-West
Micro-segmentation is one of the core functions of a next-generation Zero Trust cybersecurity solution, as it allows the security functions to be inserted in front of a workload to distrust the network. But not all micro-segmentation is created equally. It turns out that the implementation of the micro-segmentation function has a major impact on how thoroughly it can implement Zero Trust principles. To understand why, let's examine the two major directions traffic can flow: north-south, and east-west.
What Is North-South Traffic?
A "north-south" flow of traffic refers to traffic that goes through one or more aggregation points to get to the destination. In the example diagram below, traffic from host A to the cloud host B is aggregated together with all other traffic from the same subnet by the leaf router, and forwarded toward the enterprise edge, where it is then sent on to the cloud.
North-South Traffic Can be Filtered at an Aggregation Point
While it may be slightly less obvious, traffic from host A to host C is also considered north-south; it travels northward toward the spine, and then southward again toward host C's router.
Because north-south traffic is aggregated, there is naturally a point in the network where a filtering function (the shield in the diagram) could be inserted to perform a security function. This "north-south" micro-segmentation can therefore secure traffic between host A and hosts B or C.
What Is East-West Traffic?
In contrast to north-south traffic, the traffic between host A and host D shown below is in the "east-west" direction. The two hosts are in the same subnet, and have a point-to-point connection between them.
East-West Traffic Does Not Pass Through the Aggregation Point
As east-west traffic is not aggregated, the security filter at the aggregation point that worked for the north-south case above is ineffective.
It turns out that the east-west case is fairly common; most datacenter traffic travels in an east-west direction.
Handling Micro-Segmentation in Any Direction is Critical for Zero Trust
Proper application of Zero Trust principles requires that traffic from other hosts on the network should not be trusted. But a solution that handles the north-south direction, but not east-west, implicitly creates a trust zone where other machines on the same subnet. As a result, it's very important to consider deployment models in the architecture of a Zero Trust security solution.
Agent-based deployment models protect applications at the OS level, and are capable of handling both north-south and east-west micro-segmentation. They are appropriate for Zero Trust, and can work well in any datacenter, cloud, or containerized environment.
On the other hand, agentless deployment models, which may be required for OT environments, may not provide full micro-segmentation controls in the east-west direction. For a true agentless deployment, Zentera recommends the gatekeeper approach, as implemented by the Zentera Micro-Segmentation Gatekeeper (MSG). This model enables Zero Trust security functions to be inserted inline with each workload, without having to touch the workload itself.
Click below to continue reading about micro-segmentation.
Share this article
