Design of Implementation of a Zero Trust Approach to Network Micro-Segmentation

Abstract

The security of the data center network is carried out on the perimeter side. It is
assumed that attacks always come from external parties via the traffic that enters and
exits data center, as known as north-south traffic. This assumption proved to be incorrect
because the data center is a resource center that is interconnected with one another, in
which intra-data of server-to-server traffic, or so-called east-west traffic, makes a
dominant of approximately 85 % of the total traffic. The perimeter security model is built
adopting the trust and untrust concept. A trusted network is in the form of intranet
networks, whereas the untrusted network is in the form of internet networks. Based on the
Computer Security Institute, security incidents originating from intranet networks
transpire of approximately 60 to 80 percent of the incident. One way to surmount this is
by implementing the concept of security in the form of zero-trust networking (ZTN).
Micro-segmentation is one of the ways of implementing ZTN. Micro-segmentation is a
way to divide a network into smaller logical segments with the aim that only end-points
that have been authorized can access resources on that segment. In this paper, microsegmentation will be evaluated by implementing a Cisco Application Centric
Infrastructure based software-defined network testbed. The simulation to determine the
performance of micro-segmentation in restricting port scanning attacks and the spread of
malware on east-west data center traffic as a use case. Performance evaluation results
show that micro-segmentation is resilient to port scanning and the spread of malware to
reduce the attack surface