Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/31/2018
09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Hands-Off Security: Automating & Virtualizing the Enterprise Network

A series of recent tech events demonstrate that enterprises are increasingly using virtualized automation to improve their network-security posture - but perhaps no tool is perfect.

A few years ago, Brad Schaefbauer, Boeing's cloud design and integration specialist, deployed a continuous-integration pipeline and virtual sandbox to fully automate what has long been the biggest network-security pain point to users and IT administrators alike -- patch management.

It was also done with a single virtualized cloud foundation.

Now, Schaefbauer says, this process has been scaled out across a multicloud environment spanning three data centers, with two cloud foundations per data center -- meaning no waiting time for patches and updates.

"We have one that's production workload, and no people touch that ever. It's all completely robot[ic] pipelines; nobody can log into it," said Schaefbauer in a presentation at Cloud Foundry Summit last month. "That's a requirement. That's a restriction. There's no other way around it."

Such no-humans-allowed "restriction" combined with network redundancy purportedly bears with it yet additional benefit for both security and business continuity and disaster recovery (BC/DR) flexibility. Instead of experiencing full network outages, Schaefbauer said, Boeing sees its applications automatically fail over to other foundations -- even across data centers when necessary.

Balancing containers
Little surprise, then, that Schaefbauer went on to say that Boeing has plans to escalate its virtualized security efforts -- in particular, through containerization. Still, Schaefbauer expressed agility concerns.

"We're going to have some applications that are Dockerized in Cloud Foundry, but whenever you Dockerize something, [there is always a] technical debt possibility," said Schaefbauer. "We repave stuff every week [so] it's never out of date."

Still, because of tenancy issues, multicloud and containerization often go hand in hand as a matter of balancing network agility and network security. Moreover, containers allow for better data migration and business continuity -- particularly in a multicloud environment.

"What we see is that more and more enterprises are convinced -- or are getting convinced -- that they need… to move way faster [and] automate a lot of stuff," Daniel Hekman, head of business development at software and IT solutions firm Grape Up, told Security Now. "[With a] multicloud approach, enterprises, if they want, can [easily migrate] from one cloud service provider to another."

"We are seeing a shift to containerization," confirmed Terry Smith, a senior director at Penguin Computing, in an interview at the Bio-IT World Conference & Expo earlier this month. "The whole [point of a] virtualization platform is to isolate jobs... We have to worry about those public instances where you have multiple tenants."

Here, Smith specifically pointed to the problems of possible privilege-escalation exploits in Docker. Granted, Docker patched this vulnerability nearly 18 months ago, but even assuming up-to-date patch management in a given enterprise, containers in general are renowned for having isolation issues -- especially if they are not run within hypervisors. Runtime-tailored mini-VMs known as unikernels hold substantial security and performance advantages over containers, but they do generally require more orchestration. (See: Unknown Document 715041.)

Properly picturing SD-WAN
All this is to say that virtualized automation cannot always be the be-all and end-all of optimized network security -- each virtualization mechanism bearing its own pros and cons list. For instance, in a recent interview with Security Now sister site Light Reading, Verizon Verizon Communications Inc. (NYSE: VZ) vice president of product management and development Vickie Lonker explained that, where SD-WAN is concerned, software-defined security and software-defined WAN optimization can be two different -- even competing -- things. (See: Unknown Document 742362.)

On this point, Joel Mulkey, Founder and CEO of Bigleaf Networks, is similarly emphatic that because SD-WAN's primary unique selling proposition (USP) network optimization, trying to concurrently use it as a security solution is inherently problematic for network orchestration.

"Most SD-WAN solutions want to be your security platform as well," Mulkey told Security Now last week at the MIT Sloan CIO Symposium, "Use [your internal security] solutions... and use a dedicated SD-WAN solution."

Of course, not everyone agrees with this assessment of SD-WAN's cybersecurity suitability. According to Shawn Hakl, vice president of business networks and security solutions at Verizon, SD-WAN is unique for its enormous practical and theoretical potential for customizing just the right blend of encryption, identity and access management, and packet optimization. (See: Security Takes On Malicious DNA (Files).)

Perhaps it all depends upon whomever happens to be orchestrating the network. Mulkey, for his part, criticizes traditional SD-WAN strategy (at least, to the extent that anything related to SD-WAN at this point could be considered "traditional") as running along the lines of a network engineer aiming to perfectly orchestrate "the picture in [their] brain" -- and failing.

"The picture in your brain is not perfect," Mulkey warned with a smile. "Think about other things, like security."

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...