Microsegmentation is a network security technique which helps in dividing a data center into logically small cell containing a workload (A server). Security policies can be configured around a particular workload. With the help of micro-segmentation we allow only the required traffic needed by business and block rest of the traffic. Cisco have a Micro-segmentation product called Cisco secure workload. In this post we will learn the configuration of Cisco secure workload for microsegmentation and achieve zero trust.
Micro-segmentation is done by identifying the type of security policies we need to have around the workload. The policies can be identified automatically by the tool using flow telemetry or manually. There would be a small light weight agent running on the workload which will collect the flow data and enforce micro-segmentation policies around the workload.
In this post we will learn configuration of MicroSegmentation policies using Cisco secure workload (Earlier name was tetration) to have zero trust for workloads..
Configuration of Cisco secure workload for microsegmentation
Step 1> Upload label: Label help in identifying the workload with the help of attributes. Various workloads can be grouped together. For example all the domain controller can be kept into one group.
Navigate to Organize > Label management
We can download a sample csv file to upload the label and update the file and upload. The label can be of any name. In this I have taken 4 labels – IP, Department, DataCenter Type
Once uploaded it looks like as below:
Step 2> Install the agents into the workloads: The agent installation can be done using powershell script or using an installer file.
Navigate to Manage > Workload > Agent tab , Click on agent script installer.
Download the script by clicking download button:
Run the script on the workload, Installation instruction are given on the download page:
Step 3> Define Scope and hierarchy:
Scope are the way of organizing the workloads into groups so that common policies are pushed accorss similar workloads.
Navigate to Organize > Scopes and Inventory click on add scope:
Need to define a query to make the group of workloads to be part of the scope. In this example I have said that any workload with Type as server is make it part of dc-servers. Type is label and server is value of label.
Step 4> Configure policies:
Navigate to Defend > Segmentation. Create a workspace if not created already.
To create workspace click on Add workspace. Give a name and select the scope for which the workspace is to be used.
Once the workspace is created we can create/discover policies. To discover we need to have some flow data collected. Longer the time we collect the flow, more granular, efficient polices would be discovered.
Policies can be created manually for this input from the application are need so that only the required port and protocol are opened.
To automatically discover policies click on Automatically discover policies. Select time range, click next, select default configuration under advanced options and then click on Discover policies.
Policies look like below: We need to review the policies properly and then do the enforcement.
Step 5> Enforcement:
Under the workspace we have option to do the enforcement. Click on Enforcement tab and then click on enforce policies.
Step 6> Check for enforcement status: We can see if the updated polices are enforced on the workloads or not.
The pushed policies ca be checked under Manage > Workloads. Click on Agent list, click on workload name and select on Concrete Policies
With the applied policies we have done microsegmentation of the workloads with the help of Cisco secure workload, this way one can start their zero trust journey. Now only the required traffic can get in and go out of the workload.