Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/5/2016
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What's Next For Network Security

A 'vanishing' physical network perimeter in the age of mobile, cloud services, and the Internet of Things, is changing network security as well.

LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.

SDN could be a game-changer like virtual machines were, says Cameron Camp, a security researcher at ESET, “If you understand it and know how to do the hard work of network security, you’re going to do better with SDN,” he says.

It’s a logical evolution: as the network and its services become more software-driven and virtualized, it only makes sense that security would join the party. SDN is an emerging network architecture that is becoming popular in data centers.

But a software-defined network architecture comes with some security risks of its own. It leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments. It’s possible to hack a virtual machine and basically “blow up that whole box and the network with it,” he says.

“You can take the first few digits of a MAC address and ... know it’s a VM,” he says. “You can take that VM and pop it and do resource-exhaustion” and use that to DDoS the SDN. That would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.

“You have to start looking at internal DDoS defense, but no one is doing it,” he says. “You have to start thinking about ways you would attack this network: SDN has VMs ... and there are going to be larger enterprises that are going to be hit because it’s a more expansive attack surface. If you can get into one of those VMs .. you can tailor your payload and see it’s easy to destroy and pivot.”

The best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.

“SDN is now bringing virtualization and abstraction to the network layer [of security] as well,” Warren Wu, senior director of products at Fortinet, said in an SDN presentation here yesterday. That could go a long way to relieve organizations from the physical appliance overload and management problem in network security.

“Security is really just another part of the infrastructure, and a fundamental” part of a software-defined security framework, he said. That would include virtualized appliances such as firewalls and security services as well.

But firewall, IDS/IPS, and other hardware-based platforms aren’t going anywhere any time soon. Not only is there a well-entrenched culture of “box-huggers” who prefer the hands-on of physical firewalls, but there’s still plenty of life in the physical network security business. And according to Wu, around 97% of network security devices today are currently sold as physical devices.

A virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. “And because it’s in a VM, it’s easier to scale, too.”

So-called “micro-segmentation” of users and applications, can help thwart an attacker from moving laterally once he gets a foothold into one user box.

Firewalls

Patrick McClory, senior vice president of platform engineering & delivery services at Datapipe, says enterprises often worry about going with a cloud-based firewall or a virtualized one, so this new software-defined security model also will require a cultural shift. Some worries are based on misconceptions, too: “There are a lot of concerns around firewalling. Amazon has both stateful and state-less firewalls ... people get confused by that sometimes,” McClory says. “Firewalls will have the same workflow and work set, and the vendors are continuing to mature their” software-based products, he says.

Organizations often set-and-forget their firewalls and other security hardware, notes Erik Knight, president of SimpleWan, which sells a cloud-based firewall service that uses sensors that are controlled and operated by its cloud service. “Any time there’s a new update or new rule for a [traditional] firewall ... it’s a manual task, logging into each and every single one,” Knight says. The cloud-based model blasts updates out to each sensor.

And rather than security professionals updating each firewall separately, firewall rules could be pushed to all devices via SDN “in a matter of seconds,” Fortinet’s Wu said.

Crypto

Take VMware’s NSX platform. According to Dom Delfino, vice president in VMware’s networking and security business unit, security is the main use case for NSX. “One of the biggest components of that disappearing perimeter is the complete misalignment between information security policy and network security deployment,” such as which users have access to which applications, for instance, he says.

Virtualization provides “microsegmentation,” where different users, applications, and networks, can be isolated with rules of their own, for instance, so when an attacker gets in, he can’t move laterally. VMware expects to see more customers using virtualization to deploy encryption. “They want to encrypt traffic for a payment application, end to end, for example. In a traditional network, that would be more difficult to do.”

But virtualized network security and SDN-based security are not widely deployed today.

“This is still in the early stages...more the outlier than the norm,” says Dave Lewis, global security advocate at Akamai. 

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wturner1517
50%
50%
wturner1517,
User Rank: Apprentice
5/16/2016 | 7:22:47 PM
You have to start looking at internal DDoS defense, but no one is doing it
Not entirely true.  We have a solution that will prevent DDos attacks originating within a network and behind the firewall directed against servers with our protection.  (No URL's are allowed here.)  Look up Secure Web Apps to see the solution for Ubuntu and Debian servers.  It is called Fortress/Sentinel.
SynergyIT
100%
0%
SynergyIT,
User Rank: Apprentice
5/12/2016 | 1:57:44 PM
SDN is the Future
Very information artcile, SDN would indeed be a game changer!
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13545
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
CVE-2019-13541
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
CVE-2019-17367
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
CVE-2019-17393
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
CVE-2019-17526
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...