1 00:00:06,740 --> 00:00:10,180 - For many years servers and you know, 2 00:00:10,180 --> 00:00:12,840 different entities in the network 3 00:00:12,840 --> 00:00:16,030 were assigned subnets and VLANs. 4 00:00:16,030 --> 00:00:18,770 And, you know, they were pretty simple, 5 00:00:18,770 --> 00:00:21,970 but they tried to provide 6 00:00:21,970 --> 00:00:24,750 some capabilities of segmentation. 7 00:00:24,750 --> 00:00:26,400 However, they also introduced a lot 8 00:00:26,400 --> 00:00:29,330 of complexities because application segmentation 9 00:00:29,330 --> 00:00:31,490 and policies were physically restricted 10 00:00:31,490 --> 00:00:33,810 to the boundaries of that VLAN, 11 00:00:33,810 --> 00:00:37,400 and specifically the boundaries of a data center 12 00:00:37,400 --> 00:00:39,940 or even in a campus environment. 13 00:00:39,940 --> 00:00:43,450 So in virtual environments, the problem became harder, 14 00:00:43,450 --> 00:00:46,570 because nowadays applications gotta move between servers, 15 00:00:46,570 --> 00:00:49,260 it can move between data centers, 16 00:00:49,260 --> 00:00:52,220 and even between different cloud environments. 17 00:00:52,220 --> 00:00:54,040 So traditional segmentation based 18 00:00:54,040 --> 00:00:57,840 on VLANs will limit you to maintain the policies 19 00:00:57,840 --> 00:01:00,360 of which applications need to talk to, you know, 20 00:01:00,360 --> 00:01:02,990 each other, or who can access those applications. 21 00:01:02,990 --> 00:01:05,700 Right? So this is ineffective because 22 00:01:05,700 --> 00:01:09,464 most traffic in data centers nowadays, 23 00:01:09,464 --> 00:01:11,270 or integrating cloud environments 24 00:01:11,270 --> 00:01:13,430 is east to west traffic. 25 00:01:13,430 --> 00:01:17,005 And a lot of traffic doesn't even leave the physical server 26 00:01:17,005 --> 00:01:20,760 and doesn't even hit a traditional firewall. 27 00:01:20,760 --> 00:01:23,200 But I mentioned, you know, east to west traffic, 28 00:01:23,200 --> 00:01:26,600 and there's another concept called north to south traffic. 29 00:01:26,600 --> 00:01:29,330 So let me define that for you to actually 30 00:01:29,330 --> 00:01:30,163 get an idea, right? 31 00:01:30,163 --> 00:01:32,610 So east to west traffic is network traffic 32 00:01:32,610 --> 00:01:35,880 between servers and it can be between virtual servers 33 00:01:35,880 --> 00:01:39,150 or physical servers, or even containers. 34 00:01:39,150 --> 00:01:41,510 Now, north to south traffic 35 00:01:41,510 --> 00:01:44,130 is the network traffic flowing in and out 36 00:01:44,130 --> 00:01:45,480 of the data center. 37 00:01:45,480 --> 00:01:48,100 Now, many vendors actually have created solutions where 38 00:01:48,100 --> 00:01:50,450 policies are applied to applications 39 00:01:50,450 --> 00:01:53,480 and are independent from the location 40 00:01:53,480 --> 00:01:56,850 or the network that the application reside. 41 00:01:56,850 --> 00:01:59,000 For example, let's suppose that you have 42 00:01:59,000 --> 00:02:01,710 different applications running in separate VMs. 43 00:02:01,710 --> 00:02:04,700 And those applications also need to talk to a database, 44 00:02:04,700 --> 00:02:07,130 as I'm actually showing here, you can actually 45 00:02:07,130 --> 00:02:11,270 need to apply policies to restrict, you know, 46 00:02:11,270 --> 00:02:12,230 different applications. 47 00:02:12,230 --> 00:02:16,030 Let's say application A, if they don't need to actually talk 48 00:02:16,030 --> 00:02:18,600 to application B, you actually can provide some type 49 00:02:18,600 --> 00:02:22,110 of policies, you know, to do this. 50 00:02:22,110 --> 00:02:25,890 And these policies should not be bound to a VLAN or 51 00:02:25,890 --> 00:02:28,720 to an IP subnet of the application. 52 00:02:28,720 --> 00:02:31,090 And especially nowadays that, you know, these VLANs 53 00:02:31,090 --> 00:02:36,090 and subnets are actually dynamically being assigned, right? 54 00:02:36,260 --> 00:02:39,900 So also network traffic should not make multiple trips back 55 00:02:39,900 --> 00:02:42,340 and forth between the applications and, you know 56 00:02:42,340 --> 00:02:44,980 some centralized firewall to be able to actually 57 00:02:44,980 --> 00:02:46,630 enforce policy between them, 58 00:02:46,630 --> 00:02:49,300 and especially because of scalability. 59 00:02:49,300 --> 00:02:52,340 And then to put matters worse, containers 60 00:02:52,340 --> 00:02:54,760 make this a little bit harder because 61 00:02:54,760 --> 00:02:58,390 they move and change more often, right? 62 00:02:58,390 --> 00:03:01,140 So here I'm actually showing a high level representation 63 00:03:01,140 --> 00:03:03,210 of an application running inside 64 00:03:03,210 --> 00:03:06,160 of a container, for example a Docker container. 65 00:03:06,160 --> 00:03:08,330 And in this case, we have to have the ability to 66 00:03:08,330 --> 00:03:12,670 enforce network segmentation in those environment. 67 00:03:12,670 --> 00:03:15,280 And that's what we call, in the industry, 68 00:03:15,280 --> 00:03:17,280 micro-segmentation. 69 00:03:17,280 --> 00:03:21,740 And micro-segmentation is at the VM level, 70 00:03:21,740 --> 00:03:24,560 or at the container level, right? 71 00:03:24,560 --> 00:03:26,510 Basically between containers regardless 72 00:03:28,383 --> 00:03:31,290 of a VLAN or a subnet. 73 00:03:31,290 --> 00:03:33,650 Another thing is micro-segmentation solutions 74 00:03:33,650 --> 00:03:35,860 need to be application-aware. 75 00:03:35,860 --> 00:03:40,190 And that means that the segmentation process starts 76 00:03:40,190 --> 00:03:42,590 and ends with the application itself. 77 00:03:42,590 --> 00:03:46,240 So most micro-segmentation environments apply 78 00:03:46,240 --> 00:03:49,210 a concept called the Zero Trust model. 79 00:03:49,210 --> 00:03:52,314 And this model dictates that users cannot talk 80 00:03:52,314 --> 00:03:55,350 to applications and applications cannot talk 81 00:03:55,350 --> 00:03:57,380 to other applications, 82 00:03:57,380 --> 00:04:00,340 unless there's a defined set of policies 83 00:04:00,340 --> 00:04:03,023 that actually permit them to do so.