The document discusses the challenges of implementing effective network segmentation across modern distributed systems. It outlines several common mechanisms used for segmentation, such as VPC networks, security groups, Docker networking, and eBPF/Calico policies. However, it notes that individually these approaches face issues with scalability, coordination, and potential for misconfiguration. The document advocates for a hierarchical approach to segmentation that enforces consistent policies across layers from IAM roles to security groups to individual networks or segments. It raises open questions around coordinating policy specification and management across the different available mechanisms.
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
In Search of Segmentation
1. In Search of Segmentation
Adrian Cockcroft @adrianco
Technology Fellow - Battery Ventures
February 2016
2. What does @adrianco do?
@adrianco
Technology Due
Diligence on Deals
Presentations at
Conferences
Presentations at
Companies
Technical
Advice for Portfolio
Companies
Program
Committee for
Conferences
Networking with
Interesting PeopleTinkering with
Technologies
Maintain
Relationship with
Cloud Vendors
http://www.slideshare.net/adriancockcroft
5. Airgaps closing
Industrial IoT
Security blanket perimeter firewalls
Datacenter to cloud transitions
New systems of engagement
http://peanuts.wikia.com/wiki/Linus'_security_blanket
15. Disclaimer:
I’m not a developer, I don’t have hands-on
experience with any of these mechanisms,
I’m looking for input where I’m wrong or
missed something.
Also, apologies if I didn’t namecheck your favorite project/product.
32. Datacenters/AWS Accounts
IAM/AD/LDAP Roles
VPC/VLAN Networks
Security Groups/Hypervisor
IPtables/Calico Policy
Docker Links/Weave Overlay
How to
coordinate
across all
these layers?
How to scale to 1000+ segments?
33. Hierarchical Segmentation
Enforced by IAM roles at every level
B CA
B C
E FD
E F
Security Group X Security Group Y
VPC Z - Manage a reasonable number of large network spaces
D
X
An AWS oriented example…
AWS Account - Manage across multiple accounts
34. Policy Specification Options
Docker Compose V2
Kubernetes/Mesos policy
Calico/Cisco Contiv
AWS IAM/AD Policies
How to
coordinate
any/all of
these?
35. Comments and Questions?
Adrian Cockcroft @adrianco
http://slideshare.com/adriancockcroft
Technology Fellow - Battery Ventures
See www.battery.com for a list of portfolio investments
36. Security
Visit http://www.battery.com/our-companies/ for a full list of all portfolio companies in which all Battery Funds have invested.
Palo Alto Networks
Enterprise IT
Operations &
Management
Big DataCompute
Networking
Storage