Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/5/2016
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What's Next For Network Security

A 'vanishing' physical network perimeter in the age of mobile, cloud services, and the Internet of Things, is changing network security as well.

LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.

SDN could be a game-changer like virtual machines were, says Cameron Camp, a security researcher at ESET, “If you understand it and know how to do the hard work of network security, you’re going to do better with SDN,” he says.

It’s a logical evolution: as the network and its services become more software-driven and virtualized, it only makes sense that security would join the party. SDN is an emerging network architecture that is becoming popular in data centers.

But a software-defined network architecture comes with some security risks of its own. It leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments. It’s possible to hack a virtual machine and basically “blow up that whole box and the network with it,” he says.

“You can take the first few digits of a MAC address and ... know it’s a VM,” he says. “You can take that VM and pop it and do resource-exhaustion” and use that to DDoS the SDN. That would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.

“You have to start looking at internal DDoS defense, but no one is doing it,” he says. “You have to start thinking about ways you would attack this network: SDN has VMs ... and there are going to be larger enterprises that are going to be hit because it’s a more expansive attack surface. If you can get into one of those VMs .. you can tailor your payload and see it’s easy to destroy and pivot.”

The best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.

“SDN is now bringing virtualization and abstraction to the network layer [of security] as well,” Warren Wu, senior director of products at Fortinet, said in an SDN presentation here yesterday. That could go a long way to relieve organizations from the physical appliance overload and management problem in network security.

“Security is really just another part of the infrastructure, and a fundamental” part of a software-defined security framework, he said. That would include virtualized appliances such as firewalls and security services as well.

But firewall, IDS/IPS, and other hardware-based platforms aren’t going anywhere any time soon. Not only is there a well-entrenched culture of “box-huggers” who prefer the hands-on of physical firewalls, but there’s still plenty of life in the physical network security business. And according to Wu, around 97% of network security devices today are currently sold as physical devices.

A virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. “And because it’s in a VM, it’s easier to scale, too.”

So-called “micro-segmentation” of users and applications, can help thwart an attacker from moving laterally once he gets a foothold into one user box.

Firewalls

Patrick McClory, senior vice president of platform engineering & delivery services at Datapipe, says enterprises often worry about going with a cloud-based firewall or a virtualized one, so this new software-defined security model also will require a cultural shift. Some worries are based on misconceptions, too: “There are a lot of concerns around firewalling. Amazon has both stateful and state-less firewalls ... people get confused by that sometimes,” McClory says. “Firewalls will have the same workflow and work set, and the vendors are continuing to mature their” software-based products, he says.

Organizations often set-and-forget their firewalls and other security hardware, notes Erik Knight, president of SimpleWan, which sells a cloud-based firewall service that uses sensors that are controlled and operated by its cloud service. “Any time there’s a new update or new rule for a [traditional] firewall ... it’s a manual task, logging into each and every single one,” Knight says. The cloud-based model blasts updates out to each sensor.

And rather than security professionals updating each firewall separately, firewall rules could be pushed to all devices via SDN “in a matter of seconds,” Fortinet’s Wu said.

Crypto

Take VMware’s NSX platform. According to Dom Delfino, vice president in VMware’s networking and security business unit, security is the main use case for NSX. “One of the biggest components of that disappearing perimeter is the complete misalignment between information security policy and network security deployment,” such as which users have access to which applications, for instance, he says.

Virtualization provides “microsegmentation,” where different users, applications, and networks, can be isolated with rules of their own, for instance, so when an attacker gets in, he can’t move laterally. VMware expects to see more customers using virtualization to deploy encryption. “They want to encrypt traffic for a payment application, end to end, for example. In a traditional network, that would be more difficult to do.”

But virtualized network security and SDN-based security are not widely deployed today.

“This is still in the early stages...more the outlier than the norm,” says Dave Lewis, global security advocate at Akamai. 

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
SynergyIT
100%
0%
SynergyIT,
User Rank: Apprentice
5/12/2016 | 1:57:44 PM
SDN is the Future
Very information artcile, SDN would indeed be a game changer!
wturner1517
50%
50%
wturner1517,
User Rank: Apprentice
5/16/2016 | 7:22:47 PM
You have to start looking at internal DDoS defense, but no one is doing it
Not entirely true.  We have a solution that will prevent DDos attacks originating within a network and behind the firewall directed against servers with our protection.  (No URL's are allowed here.)  Look up Secure Web Apps to see the solution for Ubuntu and Debian servers.  It is called Fortress/Sentinel.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...