Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/31/2018
09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Hands-Off Security: Automating & Virtualizing the Enterprise Network

A series of recent tech events demonstrate that enterprises are increasingly using virtualized automation to improve their network-security posture - but perhaps no tool is perfect.

A few years ago, Brad Schaefbauer, Boeing's cloud design and integration specialist, deployed a continuous-integration pipeline and virtual sandbox to fully automate what has long been the biggest network-security pain point to users and IT administrators alike -- patch management.

It was also done with a single virtualized cloud foundation.

Now, Schaefbauer says, this process has been scaled out across a multicloud environment spanning three data centers, with two cloud foundations per data center -- meaning no waiting time for patches and updates.

"We have one that's production workload, and no people touch that ever. It's all completely robot[ic] pipelines; nobody can log into it," said Schaefbauer in a presentation at Cloud Foundry Summit last month. "That's a requirement. That's a restriction. There's no other way around it."

Such no-humans-allowed "restriction" combined with network redundancy purportedly bears with it yet additional benefit for both security and business continuity and disaster recovery (BC/DR) flexibility. Instead of experiencing full network outages, Schaefbauer said, Boeing sees its applications automatically fail over to other foundations -- even across data centers when necessary.

Balancing containers
Little surprise, then, that Schaefbauer went on to say that Boeing has plans to escalate its virtualized security efforts -- in particular, through containerization. Still, Schaefbauer expressed agility concerns.

"We're going to have some applications that are Dockerized in Cloud Foundry, but whenever you Dockerize something, [there is always a] technical debt possibility," said Schaefbauer. "We repave stuff every week [so] it's never out of date."

Still, because of tenancy issues, multicloud and containerization often go hand in hand as a matter of balancing network agility and network security. Moreover, containers allow for better data migration and business continuity -- particularly in a multicloud environment.

"What we see is that more and more enterprises are convinced -- or are getting convinced -- that they need… to move way faster [and] automate a lot of stuff," Daniel Hekman, head of business development at software and IT solutions firm Grape Up, told Security Now. "[With a] multicloud approach, enterprises, if they want, can [easily migrate] from one cloud service provider to another."

"We are seeing a shift to containerization," confirmed Terry Smith, a senior director at Penguin Computing, in an interview at the Bio-IT World Conference & Expo earlier this month. "The whole [point of a] virtualization platform is to isolate jobs... We have to worry about those public instances where you have multiple tenants."

Here, Smith specifically pointed to the problems of possible privilege-escalation exploits in Docker. Granted, Docker patched this vulnerability nearly 18 months ago, but even assuming up-to-date patch management in a given enterprise, containers in general are renowned for having isolation issues -- especially if they are not run within hypervisors. Runtime-tailored mini-VMs known as unikernels hold substantial security and performance advantages over containers, but they do generally require more orchestration. (See: Unknown Document 715041.)

Properly picturing SD-WAN
All this is to say that virtualized automation cannot always be the be-all and end-all of optimized network security -- each virtualization mechanism bearing its own pros and cons list. For instance, in a recent interview with Security Now sister site Light Reading, Verizon Verizon Communications Inc. (NYSE: VZ) vice president of product management and development Vickie Lonker explained that, where SD-WAN is concerned, software-defined security and software-defined WAN optimization can be two different -- even competing -- things. (See: Unknown Document 742362.)

On this point, Joel Mulkey, Founder and CEO of Bigleaf Networks, is similarly emphatic that because SD-WAN's primary unique selling proposition (USP) network optimization, trying to concurrently use it as a security solution is inherently problematic for network orchestration.

"Most SD-WAN solutions want to be your security platform as well," Mulkey told Security Now last week at the MIT Sloan CIO Symposium, "Use [your internal security] solutions... and use a dedicated SD-WAN solution."

Of course, not everyone agrees with this assessment of SD-WAN's cybersecurity suitability. According to Shawn Hakl, vice president of business networks and security solutions at Verizon, SD-WAN is unique for its enormous practical and theoretical potential for customizing just the right blend of encryption, identity and access management, and packet optimization. (See: Security Takes On Malicious DNA (Files).)

Perhaps it all depends upon whomever happens to be orchestrating the network. Mulkey, for his part, criticizes traditional SD-WAN strategy (at least, to the extent that anything related to SD-WAN at this point could be considered "traditional") as running along the lines of a network engineer aiming to perfectly orchestrate "the picture in [their] brain" -- and failing.

"The picture in your brain is not perfect," Mulkey warned with a smile. "Think about other things, like security."

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...