Monitor Network Traffic

Key to microsegmentation is to ensure that a set of rules defined in a ruleset properly allows all the required flows of a given application. Consider every other flow to be an exception to follow the model of least privilege model.
With this approach, security teams can define alarms for guardrail violations and investigate anomalies more easily.
Take the following practical example of an application with the following layers.
  • Frontend:
    an Internet facing workload that requires accepting traffic from public networks.
  • API gateway (api-gw):
    accepts incoming traffic from the frontend and backend. It also sends traffic to these components.
  • Backend:
    a workload that doesn’t require accepting traffic from public networks.
  • Database:
    a workload that only accepts traffic from the Backend.
To understand traffic flows of the application and the expected behaviors, look at the flow map.
Prisma Cloud Identity-Based Microsegmentation uses the following types of flows to help you in the network analysis.
  • Processing Unit to Processing Unit (PU to PU)
  • External Network to Processing Unit (Ext Net to PU)
  • Processing Unit to External Network (PU to Ext Net)
  • Processing Unit to somewhere
  • somewhere to Processing Unit
The label somewhere is given to a resource meeting one of the following conditions.
  • It is not a Processing Unit (PU).
  • Its IP address doesn’t match a pre-defined External Network (Ext Net).
  • Its fully-qualified domain name (FQDN) doesn’t match a pre-defined Ext Net.
The decision the Defenders made about the flows are shown on the flow map using different line colors and styles.
  • Solid Green:
    The flow was accepted by an explicit ruleset.
  • Dashed Green:
    The flow was accepted by an implicit namespace policy. If you switch the namespace policy from
    Allow
    to
    Reject
    , the flow is then rejected.
  • Solid Red:
    The flow was rejected by an explicit ruleset.
  • Dashed Red:
    The flow was rejected by the implicit namespace policy. If you switch the namespace policy from
    Reject
    to
    Allow
    , the flow is then allowed.
  • Orange:
    In a given time range, the flows was reported both as allowed and rejected due to a change in policy.
You can follow th policy as code approach to automate the policy creation through continuous integration and continuous development (CI/CD) pipelines.
The following example shows the application’s flow map once you modify the namespace’s implicit default action to
Reject
after creating the required external networks and rulesets.
You can see that a microsegmentation ruleset explicitly allows all required flows for the application and the implicit namespace policy rejects all other flows.
Complete the following steps next to complete your microsegmentation configuration.
  1. Create rulesets using one of the following methods depending on your security requirements.

Recommended For You