LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.
SDN could be a game-changer like virtual machines were, says Cameron Camp, a security researcher at ESET, “If you understand it and know how to do the hard work of network security, you’re going to do better with SDN,” he says.
It’s a logical evolution: as the network and its services become more software-driven and virtualized, it only makes sense that security would join the party. SDN is an emerging network architecture that is becoming popular in data centers.
But a software-defined network architecture comes with some security risks of its own. It leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments. It’s possible to hack a virtual machine and basically “blow up that whole box and the network with it,” he says.
“You can take the first few digits of a MAC address and ... know it’s a VM,” he says. “You can take that VM and pop it and do resource-exhaustion” and use that to DDoS the SDN. That would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.
“You have to start looking at internal DDoS defense, but no one is doing it,” he says. “You have to start thinking about ways you would attack this network: SDN has VMs ... and there are going to be larger enterprises that are going to be hit because it’s a more expansive attack surface. If you can get into one of those VMs .. you can tailor your payload and see it’s easy to destroy and pivot.”
The best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.
“SDN is now bringing virtualization and abstraction to the network layer [of security] as well,” Warren Wu, senior director of products at Fortinet, said in an SDN presentation here yesterday. That could go a long way to relieve organizations from the physical appliance overload and management problem in network security.
“Security is really just another part of the infrastructure, and a fundamental” part of a software-defined security framework, he said. That would include virtualized appliances such as firewalls and security services as well.
But firewall, IDS/IPS, and other hardware-based platforms aren’t going anywhere any time soon. Not only is there a well-entrenched culture of “box-huggers” who prefer the hands-on of physical firewalls, but there’s still plenty of life in the physical network security business. And according to Wu, around 97% of network security devices today are currently sold as physical devices.
A virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. “And because it’s in a VM, it’s easier to scale, too.”
So-called “micro-segmentation” of users and applications, can help thwart an attacker from moving laterally once he gets a foothold into one user box.
Patrick McClory, senior vice president of platform engineering & delivery services at Datapipe, says enterprises often worry about going with a cloud-based firewall or a virtualized one, so this new software-defined security model also will require a cultural shift. Some worries are based on misconceptions, too: “There are a lot of concerns around firewalling. Amazon has both stateful and state-less firewalls ... people get confused by that sometimes,” McClory says. “Firewalls will have the same workflow and work set, and the vendors are continuing to mature their” software-based products, he says.
Organizations often set-and-forget their firewalls and other security hardware, notes Erik Knight, president of SimpleWan, which sells a cloud-based firewall service that uses sensors that are controlled and operated by its cloud service. “Any time there’s a new update or new rule for a [traditional] firewall ... it’s a manual task, logging into each and every single one,” Knight says. The cloud-based model blasts updates out to each sensor.
And rather than security professionals updating each firewall separately, firewall rules could be pushed to all devices via SDN “in a matter of seconds,” Fortinet’s Wu said.
Take VMware’s NSX platform. According to Dom Delfino, vice president in VMware’s networking and security business unit, security is the main use case for NSX. “One of the biggest components of that disappearing perimeter is the complete misalignment between information security policy and network security deployment,” such as which users have access to which applications, for instance, he says.
Virtualization provides “microsegmentation,” where different users, applications, and networks, can be isolated with rules of their own, for instance, so when an attacker gets in, he can’t move laterally. VMware expects to see more customers using virtualization to deploy encryption. “They want to encrypt traffic for a payment application, end to end, for example. In a traditional network, that would be more difficult to do.”
But virtualized network security and SDN-based security are not widely deployed today.
“This is still in the early stages...more the outlier than the norm,” says Dave Lewis, global security advocate at Akamai.
- Rethinking Application Security With Microservices Architectures
- SDN Shows Promise For Security
- Cloud Security Alliance, Waverley Labs Collaborate On Open-Source Software-Defined Perimeter Spec