Cloud
5/5/2016
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What's Next For Network Security

A 'vanishing' physical network perimeter in the age of mobile, cloud services, and the Internet of Things, is changing network security as well.

LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.

SDN could be a game-changer like virtual machines were, says Cameron Camp, a security researcher at ESET, “If you understand it and know how to do the hard work of network security, you’re going to do better with SDN,” he says.

It’s a logical evolution: as the network and its services become more software-driven and virtualized, it only makes sense that security would join the party. SDN is an emerging network architecture that is becoming popular in data centers.

But a software-defined network architecture comes with some security risks of its own. It leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments. It’s possible to hack a virtual machine and basically “blow up that whole box and the network with it,” he says.

“You can take the first few digits of a MAC address and ... know it’s a VM,” he says. “You can take that VM and pop it and do resource-exhaustion” and use that to DDoS the SDN. That would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.

“You have to start looking at internal DDoS defense, but no one is doing it,” he says. “You have to start thinking about ways you would attack this network: SDN has VMs ... and there are going to be larger enterprises that are going to be hit because it’s a more expansive attack surface. If you can get into one of those VMs .. you can tailor your payload and see it’s easy to destroy and pivot.”

The best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.

“SDN is now bringing virtualization and abstraction to the network layer [of security] as well,” Warren Wu, senior director of products at Fortinet, said in an SDN presentation here yesterday. That could go a long way to relieve organizations from the physical appliance overload and management problem in network security.

“Security is really just another part of the infrastructure, and a fundamental” part of a software-defined security framework, he said. That would include virtualized appliances such as firewalls and security services as well.

But firewall, IDS/IPS, and other hardware-based platforms aren’t going anywhere any time soon. Not only is there a well-entrenched culture of “box-huggers” who prefer the hands-on of physical firewalls, but there’s still plenty of life in the physical network security business. And according to Wu, around 97% of network security devices today are currently sold as physical devices.

A virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. “And because it’s in a VM, it’s easier to scale, too.”

So-called “micro-segmentation” of users and applications, can help thwart an attacker from moving laterally once he gets a foothold into one user box.

Firewalls

Patrick McClory, senior vice president of platform engineering & delivery services at Datapipe, says enterprises often worry about going with a cloud-based firewall or a virtualized one, so this new software-defined security model also will require a cultural shift. Some worries are based on misconceptions, too: “There are a lot of concerns around firewalling. Amazon has both stateful and state-less firewalls ... people get confused by that sometimes,” McClory says. “Firewalls will have the same workflow and work set, and the vendors are continuing to mature their” software-based products, he says.

Organizations often set-and-forget their firewalls and other security hardware, notes Erik Knight, president of SimpleWan, which sells a cloud-based firewall service that uses sensors that are controlled and operated by its cloud service. “Any time there’s a new update or new rule for a [traditional] firewall ... it’s a manual task, logging into each and every single one,” Knight says. The cloud-based model blasts updates out to each sensor.

And rather than security professionals updating each firewall separately, firewall rules could be pushed to all devices via SDN “in a matter of seconds,” Fortinet’s Wu said.

Crypto

Take VMware’s NSX platform. According to Dom Delfino, vice president in VMware’s networking and security business unit, security is the main use case for NSX. “One of the biggest components of that disappearing perimeter is the complete misalignment between information security policy and network security deployment,” such as which users have access to which applications, for instance, he says.

Virtualization provides “microsegmentation,” where different users, applications, and networks, can be isolated with rules of their own, for instance, so when an attacker gets in, he can’t move laterally. VMware expects to see more customers using virtualization to deploy encryption. “They want to encrypt traffic for a payment application, end to end, for example. In a traditional network, that would be more difficult to do.”

But virtualized network security and SDN-based security are not widely deployed today.

“This is still in the early stages...more the outlier than the norm,” says Dave Lewis, global security advocate at Akamai. 

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wturner1517
50%
50%
wturner1517,
User Rank: Apprentice
5/16/2016 | 7:22:47 PM
You have to start looking at internal DDoS defense, but no one is doing it
Not entirely true.  We have a solution that will prevent DDos attacks originating within a network and behind the firewall directed against servers with our protection.  (No URL's are allowed here.)  Look up Secure Web Apps to see the solution for Ubuntu and Debian servers.  It is called Fortress/Sentinel.
SynergyIT
100%
0%
SynergyIT,
User Rank: Apprentice
5/12/2016 | 1:57:44 PM
SDN is the Future
Very information artcile, SDN would indeed be a game changer!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.