SlideShare a Scribd company logo

In Search of Segmentation

Adrian Cockcroft
Adrian Cockcroft

The document discusses the challenges of implementing effective network segmentation across modern distributed systems. It outlines several common mechanisms used for segmentation, such as VPC networks, security groups, Docker networking, and eBPF/Calico policies. However, it notes that individually these approaches face issues with scalability, coordination, and potential for misconfiguration. The document advocates for a hierarchical approach to segmentation that enforces consistent policies across layers from IAM roles to security groups to individual networks or segments. It raises open questions around coordinating policy specification and management across the different available mechanisms.

Technology
1 of 36
Downloaded 124 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
In Search of Segmentation Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures February 2016
What does @adrianco do? @adrianco Technology Due Diligence on Deals Presentations at Conferences Presentations at Companies Technical Advice for Portfolio Companies Program Committee for Conferences Networking with Interesting PeopleTinkering with Technologies Maintain Relationship with Cloud Vendors http://www.slideshare.net/adriancockcroft
Segmentation
Industry Trends
Airgaps closing Industrial IoT Security blanket perimeter firewalls Datacenter to cloud transitions New systems of engagement http://peanuts.wikia.com/wiki/Linus'_security_blanket
Policy
A can talk to B B can talk to C A must not talk to C A B C
Y and Z failure modes must be independent so X can always succeed Y X Z
Availability requirements drive a need for distributed segmentation
Choices?
Too many choices!
Over-reliance on one mechanism leads to abuse…
Lack of coordination across many mechanisms leads to fragility
Example segmentation mechanisms
Disclaimer: I’m not a developer, I don’t have hands-on experience with any of these mechanisms, I’m looking for input where I’m wrong or missed something. Also, apologies if I didn’t namecheck your favorite project/product.
Datacenters/AWS Accounts IAM/AD/LDAP Roles VPC/VLAN Networks Security Groups/Hypervisor IPtables/Calico Policy Docker Links/Weave Overlay Ops Dev
B Accounts and Roles Who can set policy for what? Needs distributed policy management A C
Network Segmentation Who controls the network? A B C
Network Segmentation Datacenter policies are based on separation of duties. Tickets, Network admins and VLANs
Network Segmentation AWS VPC networking uses developer-driven automation, loses separation of duties…
VPC Abuse Antipattern Lots of small VPC networks for microservices, end up in IP address space capacity management hell…
Hypervisor and Security Group Segmentation Distributed firewall rules A B CA B
Security Group Abuse Antipattern Too many microservices need to be in the same group, overloads configuration limitations
Kernel eBPF & Calico IPtables Segmentation Distributed firewall rules A B CA B
IPtables Segmentation Can use IP Sets to scale Managed in the container host OS Separates routing reachability from access policy
Docker & Weave Segmentation Docker daemon manages connections B CA B C
proxy: build: ./proxy ports: - "8080:8080" links: - app app: build: ./app links: - db db: image: postgres Docker Compose V1 proxy app db 8080
version: '2' services: proxy: build: ./proxy ports: - "8080:8080" networks: - front app: build: ./app networks: - front - back db: image: postgres networks: - back networks: front: back: Docker Compose V2 proxy app db 8080 front backfront
Docker Segmentation Overlay network created and managed by Docker or Weave. DNS based lookups.
Segmentation Scalability Real world microservices architectures have hundreds to thousands of distinct microservices
Segmentation Scalability There’s often a few very popular microservices that everyone else wants to talk to
Datacenters/AWS Accounts IAM/AD/LDAP Roles VPC/VLAN Networks Security Groups/Hypervisor IPtables/Calico Policy Docker Links/Weave Overlay How to coordinate across all these layers? How to scale to 1000+ segments?
Hierarchical Segmentation Enforced by IAM roles at every level B CA B C E FD E F Security Group X Security Group Y VPC Z - Manage a reasonable number of large network spaces D X An AWS oriented example… AWS Account - Manage across multiple accounts
Policy Specification Options Docker Compose V2 Kubernetes/Mesos policy Calico/Cisco Contiv AWS IAM/AD Policies How to coordinate any/all of these?
Comments and Questions? Adrian Cockcroft @adrianco http://slideshare.com/adriancockcroft Technology Fellow - Battery Ventures See www.battery.com for a list of portfolio investments
Security Visit http://www.battery.com/our-companies/ for a full list of all portfolio companies in which all Battery Funds have invested. Palo Alto Networks Enterprise IT Operations & Management Big DataCompute Networking Storage

More Related Content

What's hot (20)

PDF
DevOps in a Cloud Native World
Michael Ducy
 
PPTX
Seriously Open Cloud Native Java Microservices
Jamie Coleman
 
PPTX
Meeting rooms are talking! are you listening?
Cisco DevNet
 
PPTX
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Cisco DevNet
 
PPTX
Open Source Licensing: Types, Strategies and Compliance
All Things Open
 
PPTX
Integrated, Automated Video Room Systems - Webex Devices - Cisco Live Orlando...
Cisco DevNet
 
PDF
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
J On The Beach
 
PDF
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Cisco DevNet
 
PDF
API Design Principles Essential 
Oracle Korea
 
PDF
MVC 1.0 / JSR 371
David Delabassee
 
PDF
The art of decomposing monoliths
Kfir Bloch
 
PDF
Adopt-a-JSR for JSON Processing 1.1, JSR 374
Heather VanCura
 
PDF
2015 Q4 webrtc standards update
Alexandre Gouaillard
 
PDF
Another compilation method in java - AOT (Ahead of Time) compilation
Logico
 
PPTX
Api more than payload (2021 Update)
Phil Wilkins
 
PDF
Introduction to Reactive Streams and Reactor 2.5
Stéphane Maldini
 
PPTX
Melhore o Desenvolvimento do Time com DevOps na Nuvem
Bruno Borges
 
PDF
Finally, EE Security API JSR 375
Alex Kosowski
 
PDF
Java on Azure
Philly JUG
 
PDF
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
Codemotion
 
DevOps in a Cloud Native World
Michael Ducy
 
Seriously Open Cloud Native Java Microservices
Jamie Coleman
 
Meeting rooms are talking! are you listening?
Cisco DevNet
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Cisco DevNet
 
Open Source Licensing: Types, Strategies and Compliance
All Things Open
 
Integrated, Automated Video Room Systems - Webex Devices - Cisco Live Orlando...
Cisco DevNet
 
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
J On The Beach
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Cisco DevNet
 
API Design Principles Essential 
Oracle Korea
 
MVC 1.0 / JSR 371
David Delabassee
 
The art of decomposing monoliths
Kfir Bloch
 
Adopt-a-JSR for JSON Processing 1.1, JSR 374
Heather VanCura
 
2015 Q4 webrtc standards update
Alexandre Gouaillard
 
Another compilation method in java - AOT (Ahead of Time) compilation
Logico
 
Api more than payload (2021 Update)
Phil Wilkins
 
Introduction to Reactive Streams and Reactor 2.5
Stéphane Maldini
 
Melhore o Desenvolvimento do Time com DevOps na Nuvem
Bruno Borges
 
Finally, EE Security API JSR 375
Alex Kosowski
 
Java on Azure
Philly JUG
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
Codemotion
 

Viewers also liked (6)

PDF
Advanced Production Debugging
Takipi
 
PDF
Java 9: The (G1) GC Awakens!
Monica Beckwith
 
PDF
10 SQL Tricks that You Didn't Think Were Possible
Lukas Eder
 
PDF
Scala Days NYC 2016
Martin Odersky
 
PDF
Java SE 8 best practices
Stephen Colebourne
 
PPTX
Microservices + Oracle: A Bright Future
Kelly Goetsch
 
Advanced Production Debugging
Takipi
 
Java 9: The (G1) GC Awakens!
Monica Beckwith
 
10 SQL Tricks that You Didn't Think Were Possible
Lukas Eder
 
Scala Days NYC 2016
Martin Odersky
 
Java SE 8 best practices
Stephen Colebourne
 
Microservices + Oracle: A Bright Future
Kelly Goetsch
 
Ad

Similar to In Search of Segmentation (20)

PDF
Pets vs. Cattle: The Elastic Cloud Story
Randy Bias
 
PDF
The Future of Cloud Innovation, featuring Adrian Cockcroft
Dun & Bradstreet Cloud Innovation Center
 
PDF
Software Architecture Conference - Monitoring Microservices - A Challenge
Adrian Cockcroft
 
PDF
Who Needs Network Management in a Cloud Native Environment?
Eshed Gal-Or
 
PDF
Microservices: State of the Union
C4Media
 
PDF
2021 01-27 reducing risk of ransomware webinar
AlgoSec
 
PPTX
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
Docker, Inc.
 
PDF
Docker microservices and the service mesh
Docker, Inc.
 
PDF
Monitoring of OpenNebula installations
NETWAYS
 
PDF
OpenNebulaConf 2013 - Monitoring of OpenNebula installations by Florian Heigl
OpenNebula Project
 
PDF
Multi-Tenant Data Cloud with YARN & Helix
Kishore Gopalakrishna
 
PPTX
The missing piece : when Docker networking and services finally unleashes so...
Adrien Blind
 
PPTX
DockerCon - The missing piece : when Docker networking unleashes software arc...
Laurent Grangeau
 
PDF
Knowing where the safe zone is ovum october 22 2013
Mark Skilton
 
PDF
Secure your workloads with microsegmentation
Rasool Irfan
 
PPTX
Microservices pros and cons dark
Andrew Siemer
 
PDF
Platform Clouds, Containers, Immutable Infrastructure Oh My!
Stuart Charlton
 
PPTX
AWS Security Architecture - Overview
Sai Kesavamatham
 
PDF
StackEngine Demo - Docker Austin
Boyd Hemphill
 
PDF
How to Build a Compute Cluster
Ramsay Key
 
Pets vs. Cattle: The Elastic Cloud Story
Randy Bias
 
The Future of Cloud Innovation, featuring Adrian Cockcroft
Dun & Bradstreet Cloud Innovation Center
 
Software Architecture Conference - Monitoring Microservices - A Challenge
Adrian Cockcroft
 
Who Needs Network Management in a Cloud Native Environment?
Eshed Gal-Or
 
Microservices: State of the Union
C4Media
 
2021 01-27 reducing risk of ransomware webinar
AlgoSec
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
Docker, Inc.
 
Docker microservices and the service mesh
Docker, Inc.
 
Monitoring of OpenNebula installations
NETWAYS
 
OpenNebulaConf 2013 - Monitoring of OpenNebula installations by Florian Heigl
OpenNebula Project
 
Multi-Tenant Data Cloud with YARN & Helix
Kishore Gopalakrishna
 
The missing piece : when Docker networking and services finally unleashes so...
Adrien Blind
 
DockerCon - The missing piece : when Docker networking unleashes software arc...
Laurent Grangeau
 
Knowing where the safe zone is ovum october 22 2013
Mark Skilton
 
Secure your workloads with microsegmentation
Rasool Irfan
 
Microservices pros and cons dark
Andrew Siemer
 
Platform Clouds, Containers, Immutable Infrastructure Oh My!
Stuart Charlton
 
AWS Security Architecture - Overview
Sai Kesavamatham
 
StackEngine Demo - Docker Austin
Boyd Hemphill
 
How to Build a Compute Cluster
Ramsay Key
 
Ad

More from Adrian Cockcroft (20)

PDF
Microservices Workshop All Topics Deck 2016
Adrian Cockcroft
 
PDF
Gophercon 2016 Communicating Sequential Goroutines
Adrian Cockcroft
 
PDF
Monitoring Challenges - Monitorama 2016 - Monitoringless
Adrian Cockcroft
 
PDF
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Adrian Cockcroft
 
PDF
Microservices Workshop - Craft Conference
Adrian Cockcroft
 
PDF
Evolution of Microservices - Craft Conference
Adrian Cockcroft
 
PDF
Microservices: What's Missing - O'Reilly Software Architecture New York
Adrian Cockcroft
 
PDF
What's Missing? Microservices Meetup at Cisco
Adrian Cockcroft
 
PDF
Microxchg Analyzing Response Time Distributions for Microservices
Adrian Cockcroft
 
PDF
Innovation and Architecture
Adrian Cockcroft
 
PDF
Cloud Trends Nov2015 Structure
Adrian Cockcroft
 
PDF
Openstack Silicon Valley - Vendor Lock In
Adrian Cockcroft
 
PDF
When Developers Operate and Operators Develop
Adrian Cockcroft
 
PDF
Dockercon 2015 - Faster Cheaper Safer
Adrian Cockcroft
 
PDF
Microservices the Good Bad and the Ugly
Adrian Cockcroft
 
PDF
Gluecon Monitoring Microservices and Containers: A Challenge
Adrian Cockcroft
 
PDF
Microxchg Microservices
Adrian Cockcroft
 
PDF
Cloud Native Cost Optimization UCC
Adrian Cockcroft
 
PDF
Dockercon State of the Art in Microservices
Adrian Cockcroft
 
PDF
Goto Berlin - Migrating to Microservices (Fast Delivery)
Adrian Cockcroft
 
Microservices Workshop All Topics Deck 2016
Adrian Cockcroft
 
Gophercon 2016 Communicating Sequential Goroutines
Adrian Cockcroft
 
Monitoring Challenges - Monitorama 2016 - Monitoringless
Adrian Cockcroft
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Adrian Cockcroft
 
Microservices Workshop - Craft Conference
Adrian Cockcroft
 
Evolution of Microservices - Craft Conference
Adrian Cockcroft
 
Microservices: What's Missing - O'Reilly Software Architecture New York
Adrian Cockcroft
 
What's Missing? Microservices Meetup at Cisco
Adrian Cockcroft
 
Microxchg Analyzing Response Time Distributions for Microservices
Adrian Cockcroft
 
Innovation and Architecture
Adrian Cockcroft
 
Cloud Trends Nov2015 Structure
Adrian Cockcroft
 
Openstack Silicon Valley - Vendor Lock In
Adrian Cockcroft
 
When Developers Operate and Operators Develop
Adrian Cockcroft
 
Dockercon 2015 - Faster Cheaper Safer
Adrian Cockcroft
 
Microservices the Good Bad and the Ugly
Adrian Cockcroft
 
Gluecon Monitoring Microservices and Containers: A Challenge
Adrian Cockcroft
 
Microxchg Microservices
Adrian Cockcroft
 
Cloud Native Cost Optimization UCC
Adrian Cockcroft
 
Dockercon State of the Art in Microservices
Adrian Cockcroft
 
Goto Berlin - Migrating to Microservices (Fast Delivery)
Adrian Cockcroft
 

Recently uploaded (20)

PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 

In Search of Segmentation