Micro-Segmentation to reduce threat surface in virtual Data Centre environment against malware proliferation

Abstract

The deployment of strong security measures is necessary due to the rise of complex malware lateral threats in fully stacked virtual environment. The effectiveness of micro-segmentation as a tactic to lessen malware's threat surface is examined in this thesis. The study focuses on evaluating the security of virtual machines (VMs) using Windows Defender, the integrated antivirus program in Windows operating systems. Based on this evaluation, dynamic security tags are developed on the software-defined networking platform VMware NSX to categorize virtual machines (VMs) into three separate security groups: infected, protected, and vulnerable. The segmented network's traffic protection measures are then implemented using dynamic criterion policies. The implementation technique has been described in detail in the thesis, beginning with the gathering of VMs protection status and its current state data. Indicators of malware infections, real-time protection status, OS patched update status, and antivirus signature update status are all included in this data. As a result of the integration of this data with NSX, security tags are automatically issued to VMs, enabling traffic separation and granular security controls. Through comprehensive testing and analysis of VM behavior within the Vmware Data center environment, the effectiveness of the suggested micro-segmentation approach has been determined. Measured and contrasted against network segmentation methods are metrics like malware containment rates, lateral movement control, and access control enforcement. Along with the technological implementation, a thorough comparison between network segmentation and micro-segmentation is done as a proof of concept. To fully comprehend the benefits and drawbacks of each strategy, factors including security efficacy, scalability, complexity, performance impact, and auditing capabilities are studied. By using this information, network managers and security experts may choose the best method for strengthening network security in the face of constantly changing malware threats. Results show how effective micro-segmentation is at reducing malware's attack surface. The detailed comparative analysis and the exact implementation methods add to the body of knowledge previously available on network security. This thesis is a helpful resource for businesses looking to put strong security measures in place and protect their network infrastructures from the malware threats that are continuously changing.