Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/5/2016
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

What's Next For Network Security

A 'vanishing' physical network perimeter in the age of mobile, cloud services, and the Internet of Things, is changing network security as well.

LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.

SDN could be a game-changer like virtual machines were, says Cameron Camp, a security researcher at ESET, “If you understand it and know how to do the hard work of network security, you’re going to do better with SDN,” he says.

It’s a logical evolution: as the network and its services become more software-driven and virtualized, it only makes sense that security would join the party. SDN is an emerging network architecture that is becoming popular in data centers.

But a software-defined network architecture comes with some security risks of its own. It leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments. It’s possible to hack a virtual machine and basically “blow up that whole box and the network with it,” he says.

“You can take the first few digits of a MAC address and ... know it’s a VM,” he says. “You can take that VM and pop it and do resource-exhaustion” and use that to DDoS the SDN. That would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.

“You have to start looking at internal DDoS defense, but no one is doing it,” he says. “You have to start thinking about ways you would attack this network: SDN has VMs ... and there are going to be larger enterprises that are going to be hit because it’s a more expansive attack surface. If you can get into one of those VMs .. you can tailor your payload and see it’s easy to destroy and pivot.”

The best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.

“SDN is now bringing virtualization and abstraction to the network layer [of security] as well,” Warren Wu, senior director of products at Fortinet, said in an SDN presentation here yesterday. That could go a long way to relieve organizations from the physical appliance overload and management problem in network security.

“Security is really just another part of the infrastructure, and a fundamental” part of a software-defined security framework, he said. That would include virtualized appliances such as firewalls and security services as well.

But firewall, IDS/IPS, and other hardware-based platforms aren’t going anywhere any time soon. Not only is there a well-entrenched culture of “box-huggers” who prefer the hands-on of physical firewalls, but there’s still plenty of life in the physical network security business. And according to Wu, around 97% of network security devices today are currently sold as physical devices.

A virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. “And because it’s in a VM, it’s easier to scale, too.”

So-called “micro-segmentation” of users and applications, can help thwart an attacker from moving laterally once he gets a foothold into one user box.

Firewalls

Patrick McClory, senior vice president of platform engineering & delivery services at Datapipe, says enterprises often worry about going with a cloud-based firewall or a virtualized one, so this new software-defined security model also will require a cultural shift. Some worries are based on misconceptions, too: “There are a lot of concerns around firewalling. Amazon has both stateful and state-less firewalls ... people get confused by that sometimes,” McClory says. “Firewalls will have the same workflow and work set, and the vendors are continuing to mature their” software-based products, he says.

Organizations often set-and-forget their firewalls and other security hardware, notes Erik Knight, president of SimpleWan, which sells a cloud-based firewall service that uses sensors that are controlled and operated by its cloud service. “Any time there’s a new update or new rule for a [traditional] firewall ... it’s a manual task, logging into each and every single one,” Knight says. The cloud-based model blasts updates out to each sensor.

And rather than security professionals updating each firewall separately, firewall rules could be pushed to all devices via SDN “in a matter of seconds,” Fortinet’s Wu said.

Crypto

Take VMware’s NSX platform. According to Dom Delfino, vice president in VMware’s networking and security business unit, security is the main use case for NSX. “One of the biggest components of that disappearing perimeter is the complete misalignment between information security policy and network security deployment,” such as which users have access to which applications, for instance, he says.

Virtualization provides “microsegmentation,” where different users, applications, and networks, can be isolated with rules of their own, for instance, so when an attacker gets in, he can’t move laterally. VMware expects to see more customers using virtualization to deploy encryption. “They want to encrypt traffic for a payment application, end to end, for example. In a traditional network, that would be more difficult to do.”

But virtualized network security and SDN-based security are not widely deployed today.

“This is still in the early stages...more the outlier than the norm,” says Dave Lewis, global security advocate at Akamai. 

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wturner1517
50%
50%
wturner1517,
User Rank: Apprentice
5/16/2016 | 7:22:47 PM
You have to start looking at internal DDoS defense, but no one is doing it
Not entirely true.  We have a solution that will prevent DDos attacks originating within a network and behind the firewall directed against servers with our protection.  (No URL's are allowed here.)  Look up Secure Web Apps to see the solution for Ubuntu and Debian servers.  It is called Fortress/Sentinel.
SynergyIT
100%
0%
SynergyIT,
User Rank: Apprentice
5/12/2016 | 1:57:44 PM
SDN is the Future
Very information artcile, SDN would indeed be a game changer!
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-2486
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-0534
PUBLISHED: 2021-06-22
In permission declarations of DeviceAdminReceiver.java, there is a possible lack of broadcast protection due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: Android...
CVE-2021-0535
PUBLISHED: 2021-06-22
In wpas_ctrl_msg_queue_timeout of ctrl_iface_unix.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID...
CVE-2021-0554
PUBLISHED: 2021-06-22
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162
CVE-2021-0555
PUBLISHED: 2021-06-22
In RenderStruct of protostream_objectsource.cc, there is a possible crash due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-1791617...