Design of implementation of a zero trust approach to network micro-segmentation

The security of the data center network is carried out on the perimeter side. It is assumed that attacks always come from external parties via the traffic that enters and exits data center, as known as north-south traffic. This assumption proved to be incorrect because the data center is a resource center that is interconnected with one another, in which intra-data of server-to-server traffic, or so-called east-west traffic, makes a dominant of approximately 85 % of the total traffic. The perimeter security model is built adopting the trust and untrust concept. A trusted network is in the form of intranet networks, whereas the untrusted network is in the form of internet networks. Based on the Computer Security Institute, security incidents originating from intranet networks transpire of approximately 60 to 80 percent of the incident. One way to surmount this is by implementing the concept of security in the form of zero-trust networking (ZTN). Micro-segmentation is one of the ways of implementing ZTN. Micro-segmentation is a way to divide a network into smaller logical segments with the aim that only end-points that have been authorized can access resources on that segment. In this paper, microsegmentation will be evaluated by implementing a Cisco Application Centric Infrastructure based software-defined network testbed. The simulation to determine the performance of micro-segmentation in restricting port scanning attacks and the spread of malware on east-west data center traffic as a use case. Performance evaluation results show that micro-segmentation is resilient to port scanning and the spread of malware to reduce the attack surface.