Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/31/2018
09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Hands-Off Security: Automating & Virtualizing the Enterprise Network

A series of recent tech events demonstrate that enterprises are increasingly using virtualized automation to improve their network-security posture - but perhaps no tool is perfect.

A few years ago, Brad Schaefbauer, Boeing's cloud design and integration specialist, deployed a continuous-integration pipeline and virtual sandbox to fully automate what has long been the biggest network-security pain point to users and IT administrators alike -- patch management.

It was also done with a single virtualized cloud foundation.

Now, Schaefbauer says, this process has been scaled out across a multicloud environment spanning three data centers, with two cloud foundations per data center -- meaning no waiting time for patches and updates.

"We have one that's production workload, and no people touch that ever. It's all completely robot[ic] pipelines; nobody can log into it," said Schaefbauer in a presentation at Cloud Foundry Summit last month. "That's a requirement. That's a restriction. There's no other way around it."

(Source: Flickr)
(Source: Flickr)

Such no-humans-allowed "restriction" combined with network redundancy purportedly bears with it yet additional benefit for both security and business continuity and disaster recovery (BC/DR) flexibility. Instead of experiencing full network outages, Schaefbauer said, Boeing sees its applications automatically fail over to other foundations -- even across data centers when necessary.

Balancing containers
Little surprise, then, that Schaefbauer went on to say that Boeing has plans to escalate its virtualized security efforts -- in particular, through containerization. Still, Schaefbauer expressed agility concerns.

"We're going to have some applications that are Dockerized in Cloud Foundry, but whenever you Dockerize something, [there is always a] technical debt possibility," said Schaefbauer. "We repave stuff every week [so] it's never out of date."

Still, because of tenancy issues, multicloud and containerization often go hand in hand as a matter of balancing network agility and network security. Moreover, containers allow for better data migration and business continuity -- particularly in a multicloud environment.

"What we see is that more and more enterprises are convinced -- or are getting convinced -- that they need… to move way faster [and] automate a lot of stuff," Daniel Hekman, head of business development at software and IT solutions firm Grape Up, told Security Now. "[With a] multicloud approach, enterprises, if they want, can [easily migrate] from one cloud service provider to another."

"We are seeing a shift to containerization," confirmed Terry Smith, a senior director at Penguin Computing, in an interview at the Bio-IT World Conference & Expo earlier this month. "The whole [point of a] virtualization platform is to isolate jobs... We have to worry about those public instances where you have multiple tenants."

Here, Smith specifically pointed to the problems of possible privilege-escalation exploits in Docker. Granted, Docker patched this vulnerability nearly 18 months ago, but even assuming up-to-date patch management in a given enterprise, containers in general are renowned for having isolation issues -- especially if they are not run within hypervisors. Runtime-tailored mini-VMs known as unikernels hold substantial security and performance advantages over containers, but they do generally require more orchestration. (See: Unknown Document 715041.)

Properly picturing SD-WAN
All this is to say that virtualized automation cannot always be the be-all and end-all of optimized network security -- each virtualization mechanism bearing its own pros and cons list. For instance, in a recent interview with Security Now sister site Light Reading, Verizon Verizon Communications Inc. (NYSE: VZ) vice president of product management and development Vickie Lonker explained that, where SD-WAN is concerned, software-defined security and software-defined WAN optimization can be two different -- even competing -- things. (See: Unknown Document 742362.)

On this point, Joel Mulkey, Founder and CEO of Bigleaf Networks, is similarly emphatic that because SD-WAN's primary unique selling proposition (USP) network optimization, trying to concurrently use it as a security solution is inherently problematic for network orchestration.

"Most SD-WAN solutions want to be your security platform as well," Mulkey told Security Now last week at the MIT Sloan CIO Symposium, "Use [your internal security] solutions... and use a dedicated SD-WAN solution."

Of course, not everyone agrees with this assessment of SD-WAN's cybersecurity suitability. According to Shawn Hakl, vice president of business networks and security solutions at Verizon, SD-WAN is unique for its enormous practical and theoretical potential for customizing just the right blend of encryption, identity and access management, and packet optimization. (See: Security Takes On Malicious DNA (Files).)

Perhaps it all depends upon whomever happens to be orchestrating the network. Mulkey, for his part, criticizes traditional SD-WAN strategy (at least, to the extent that anything related to SD-WAN at this point could be considered "traditional") as running along the lines of a network engineer aiming to perfectly orchestrate "the picture in [their] brain" -- and failing.

"The picture in your brain is not perfect," Mulkey warned with a smile. "Think about other things, like security."

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37803
PUBLISHED: 2021-10-27
An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php .
CVE-2021-37805
PUBLISHED: 2021-10-27
A Stored Cross Site Scripting (XSS) vunerability exists in Sourcecodeste Vehicle Parking Management System affected version 1.0 is via the add-vehicle.php endpoint.
CVE-2021-37806
PUBLISHED: 2021-10-27
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that will sleep for a number of seconds used on the (1) editid , ...
CVE-2021-37807
PUBLISHED: 2021-10-27
An SQL Injection vulneraility exists in https://phpgurukul.com Online Shopping Portal 3.1 via the email parameter on the /check_availability.php endpoint that serves as a checker whether a new user's email is already exist within the database.
CVE-2021-37808
PUBLISHED: 2021-10-27
SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An atta...