PRODUCT BRIEF

Validating Data Center

Microsegmentation
SEGMENTING WORKLOADS It is more secure to
Virtualization took marketing’s microsegmentation concept and applied it to segregate the data
modern data centers. It uses a collection of virtual machines or containers to center into smaller
segment data centers by their meaningful workloads. With workloads classified and similar workloads
by the specific functions they serve (like web, application, database, services and create individual
workloads), organizations can specify security measures relevant to each security plans and
workload type. measures for each of
them.
Previously, data centers were treated as monolithic entities, protected by the
perimeter security technologies. The biggest issue with this approach is that once
an intruder gained access to the data center network, they could move laterally
around the large attack surface that a usual data center presents. With little to
no security measures existing between, for example, an infected server and a
database, these attacks get a free run.

Traditional data center perimeter security is not equipped to stop such

movements. Thus, it is more secure to segregate the data center into smaller and
similar workloads and create individual security plans and measures for each of
them. This is an efficient way to protect data from threats like lateral movements
or any other exploits or malwares that are relevant in east-west traffic.

26601 Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 1
915-3723-01-6071 Rev A
 In virtualization, microsegmentation can also extend beyond the data center. As
an example, we can apply different security policies for the human resources (HR)
database workloads of a company than to the ones from sales.

Data Center
Microsegmentation
System Test
Organizations must
validate each path
between the workloads.

WHY DO WE NEED TO TEST?

Although it improves
Precision Communications Between Workloads
security, applying
Although it improves security, applying new policies that will restrict traffic new policies that will
flow between workloads within a data center can also lead to the blocking of restrict traffic flow
legitimate traffic. For example, a web workload may be interacting with the between workloads
database workload at both 1433 and 2383 ports. A poorly written security policy
within a data center
may allow port 1433 and block 2383, causing service disruptions.
can also lead to the
Similarly, a web workload may try to communicate with the authentication blocking of legitimate
workload through various authentication methods (MS-CHAP, EAP, PAP, etc.) traffic.
and security policies should ensure only the allowed authentication methods are
passed and the rest are blocked.

The security solution should also ensure that blocking criteria is not just based
on ports, but also on traffic patterns, data types, and heuristics. In summary,
communication must be seamless for allowed applications and allowed privileges,
and blocked for all else.

26601 Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 2
915-3723-01-6071 Rev A
 Security Resiliency Between Each Path Proper resiliency
To secure workloads, security measures are either put within the workload or tests that measure
between the two workload clusters where data travels. The security requirements the security efficacy
of one workload cluster may differ than another. For example, the vulnerabilities between each
and exploits affecting the web workload are different than the ones affecting the of these paths is
database or the application workloads. Proper resiliency tests that measure the key to identifying
security efficacy between each of these paths is key to identifying weaknesses weaknesses in those
in those paths and possible remediation for any exposed risk. The tests also help paths and possible
in fine-tuning security policies or in performing proof of concept (PoC) before remediation for any
deploying any newer security technologies. exposed risk.
Measuring Performance Impacts Due to Microsegmentation
In general, inline security policies will have performance impacts. Analyzing
traffic in motion and making decisions based on analysis can introduce latencies.
Performance issues include lower throughput, latencies, and session scalability.
Historically, many security technologies have been discontinued or put in non-
blocking mode due to their impact on performance and business. To ensure the
security technology continues in production, it’s important to prove that it can
perform its tasks without impacting business performance.

Key Issues

When implementing new security technologies,

Traffic Flow blocking legitimate traffic is always a risk. It’s
Disruptions important to verify that there is no disruption of
usual traffic flows.

Performance issues and scalability limitations may

Performance arise due to microsegmentation. Validation is critical
Bottlenecks with for throughput, latencies, and session scalability
Microsegmentation to ensure performance continues to meet business
needs.

Ensuring security technologies deployed are resilient

Validating Efficacy of to attacks. Security tools and policies set for specific
Security Policies workloads must all be vetted to ensure they really
protect as they should.

VALIDATING MICROSEGMENTATION DEPLOYMENTS

Testing Seamless Flow of Legitimate Traffic
Problem: Even in traditional network security, it is difficult to validate
that legitimate traffic passes through while blocking everything else.
Microsegmentation adds more complexity to generating legitimate traffic that
is realistic because it breaks a monolithic system into several smaller workload
clusters with traffic traveling between them.

26601 Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 3
915-3723-01-6071 Rev A
 Solution: Generating Real-World Traffic®, BreakingPoint Virtual Edition (VE) can Generating Real-World
replicate any of those workload clusters. It becomes both the sender and receiver Traffic®, BreakingPoint
of various such workloads, even replicating the entire microsegmentation network. Virtual Edition (VE)
By simultaneously simulating traffic (like that from applications, the web, can replicate any
databases, or clients) through the individual components of a data center, you can of your workload
effectively test every traffic path possible. Since it can also simulate data traffic
clusters.
patterns, you can test if the security solution goes beyond port matches to block
malicious traffic. A series of pre-packaged test cases and reports ensure all
legitimate traffic flows are allowed while anything else is blocked.

BreakingPoint VE as part of each workload.

KEY BREAKINGPOINT
TEST CASES
• Create mixes of relevant applications
and understand latency, throughput,
and concurrency of such applications in
microsegmentation environment

• Generate different classes of attacks

like database, web, and application to
simulate the security challenges relevant
to each workload type

• Create a mix of legitimate and malicious

traffic patterns for each workload type
and ensure all suspect traffic is blocked
while allowing all other traffic

BreakingPoint grouping of security attacks relevant to east-west traffic.

26601 Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 4
915-3723-01-6071 Rev A
 Test Security Resiliency
Problem: Implementation of security policies requires proper validation that
they work per expectations and can neutralize against any threat vector moving
between any workloads.

Solution: By being part of each of the workload clusters, BreakingPoint VE will

generate a mix of application traffic and attacks that are relevant to that workload.
The attacks are a mix of reconnaissance, exploits, and malwares that accurately
simulate lateral threats that are expected to occur in such workloads. In addition
to attacks, BreakingPoint simulates the application traffic expected in such traffic
paths to replicate real-life profiles where attacks are always intermingled with
regular business traffic.

Simulation of advanced lateral threat movements using BreakingPoint VE.

Detecting Performance Bottlenecks and Scalability Issues

Problem: Tests need to ensure that even with all types of detection and blocking
policies in place, network performance doesn’t reduce to the extent that can
cause business impact.

Solution: BreakingPoint VE sends application traffic at scale through each traffic

path to measure all key performance indicators (KPIs). This ensures there is no
considerable degradation between throughput, latency, and connection scalability.
Such tests help you discover any bottlenecks and other serious issues like
memory exceptions and workload crashes that sometimes can be artifacts of such
bottlenecks.

26601 Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 5
915-3723-01-6071 Rev A
 Representative graph of performance impact when security policies between workloads are applied.

VALIDATE SECURITY AND RESILIENCY OF MICROSEGMENTATION With BreakingPoint

ARCHITECTURES WITH BREAKINGPOINT VE VE part of workloads,
generating both
Virtual networks provide the opportunity to easily and effectively microsegment
traffic. Applying security measures and polices based on microsegmentation looks application and
to be a smart way to secure virtualized data center environments. It distributes attack traffic, you’ll
security around the network without putting excessive pressure on any individual have a seamless test
links. Security vendors are rapidly adapting to this strategy and bringing to function for your
market workload-specific solutions. They enable security measures like deep microsegmentation
packet inspection (DPI), intrusion prevention, and anti-spyware within or between deployment.
workloads. With BreakingPoint VE, you can simulate the characteristics of various
workloads and lateral movement of threat vectors, delivering a seamless test
function to assess and manage your microsegmentation deployment.

MORE INFORMATION:
www.ixiacom.com/products/breakingpoint-ve

IXIA WORLDWIDE IXIA EUROPE IXIA ASIA PACIFIC

26601 W. Agoura Road Clarion House, Norreys Drive 101 Thomson Road,
Calabasas, CA 91302 Maidenhead SL64FL #29-04/05 United Square,
United Kingdom Singapore 307591
(Toll Free North America)
1.877.367.4942 Sales +44.1628.408750 Sales +65.6332.0125
(Fax) +44.1628.639916 (Fax) +65.6332.0127
(Outside North America)
+1.818.871.1800

(Fax) 1.818.871.1805

www.ixiacom.com

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 6
915-3723-01-6071 Rev A I © Keysight Technologies, 2017