Archive for the ‘Network security’ Category

Workload Micro-segmentation – Much ado about nothing?

December 13, 2019 Leave a comment


Once upon a time when pony-tailed grey beards ruled enterprise IT departments, network security meant deploying firewalls, Virtual Private Networks (VPN), Intrusion Detection Systems (IDS), vulnerability scanners.  The advent of phishing emails using social media and other new forms of attacks meant that once a corporate workload was compromised the contagion could spread if unchecked.  It became critical to detect abnormal behavior in an application workload.

Just as the rich build themselves panic rooms or safe rooms within their mansions to seclude themselves in the event of a home invasion, in the same manner, network security teams decided to segment their sprawling networks to isolate intrusions and prevent contagion throughout the corporate network.

Millenial and avocado toast

The millennials from VC-funded startups came to these grey beards, avocado toast in one hand and $4 coffee in another, and preached the value of “fine grained” segmentation in their product offerings vs the previous “coarse grained” segmentation.  Their approach they claimed delivered segmentation without the need to manually “touch” every VLAN, firewall and Access Control List (ACL) along the way.

The grey beards listened to this and asked – Won’t your approach require agents on the hosts?  Installing agents will result in an internal tug-of-war between our server teams, network teams and security teams.  Along came another set of VC-funded startups to your door and they touted “agent-less” application-aware segmentation as the new nirvana.

Not to be outdone, VMware representative came to your door and touted their ability to do NSX based workload micro-segmentation based on VM names, VM attributes, user identities, vCenter objects like data centers, hosts, port groups.  They insisted that this approach is agnostic to the physical location of a VM or the underlying network.

They dazzled you with their deep pockets and mentioned acquisitions that only VMware big money can buy – Nicira (the $1.26B acquisition which resulted in NSX), Airwatch (the $1.5B acquisition which gave VMware the ability to secure mobile devices), Velocloud (the $449M acquisition which gave VMware the ability to offer SD-WAN to branch offices), CloudHealth ($500M acquisition) and Wavefront (streaming analytics platform to help optimize developer clouds), Heptio ($550M for Kubernetes know-how) and Carbon Black ($2.1B acquisition for end-point security).

You thought to yourself: Having deep pockets and the ability to acquire pricey art by Picasso, Monet, Van Gogh does not an artist make… How much of this acquired stuff actually works well with each other?

Deep pockets to buy art doesn't make an artist

In the VMware approach to micro-segmentation, to create security groups and firewall rules for existing applications you need Application Rule Manager (ARM), to identify what %age of your traffic is east-west versus north-south you need vRealize Network Insight (vRNI) which is a stand-alone product.  Navigating VMware NSX licensing is a fun process in itself.

The point I’m making is that there is no one vendor or product that fits all.  I suggest you gloss through the vendor marketing decks, short list vendors, ask for a Proof-of-Concept (POC) for your specific use-case.  Ask about interoperability, licensing, reference customers in your industry.   Workload micro-segmentation is a must-have but how you end up deploying it is up to you.

How secure is your Cisco SDN?

April 2, 2014 Leave a comment

Jaisalmer_Fort_1The architecture of the ancient Rajput fortress of Jaisalmer in Rajasthan (India) might provide a suitable analogy to describe the need for multiple rings of security. Architected with 3 walls, one of stone and two more within, it ensured that there was no single point where security could be breached. If the external wall was breached by the enemy, they would potentially be stopped at the second wall. If the second wall was breached, the enemy got trapped between the 2nd and 3rd walls where the Rajput defenders would pour cauldrons of boiling oil on the trapped attackers. Similarly in network security there is no such thing as the ultimate perimeter based firewall or the ultimate malware detection tool. You need all of the above and still face the risk that some APT or malware will penetrate all your defenses.

Imagine this scenario: You are a service provider with a large data center; you have invested over the years in big iron routers and switches from Cisco and Juniper. You see the dawn of a new era where you can reduce the provisioning time for circuits and the cycle time for rollout of new services. After making sense of the confusing SDN messaging from major switch & router vendors you finally decide to use open source OpenStack for orchestration, Cisco APIC software to assign policy to flows and manage the Cisco ACI fabric comprising high end Cisco Nexus 9000 switches. Now what security issues do you face?

For one, the SDN stack itself is susceptible to Denial-of-Service (DoS) attacks. An attacker could potentially saturate the control plane with useless traffic to a point where the centralized SDN controller’s voice never gets heard by the data plane. In theory, Cisco could use open source “Snort” (derived from SourceFire) to detect an attack and communicate this to the SDN controller which could reprogram the network to block the attack. However Snort while being a good open source IPS/IDS (with a rule based language combining signature, protocol and anomaly based inspection), is still reliant on regular signature updates. Snort has no way to detect web exploits like malicious Javascript.  Snort may not help you with attacks like Advanced Persistent Threats (APT).  In addition to this, OpenStack itself has a range of security related vulnerabilities as listed here.

Cisco made ~23 security related acquisitions before acquiring SourceFire, Cognitive Security and others. To date, vendors like Palo Alto Networks (mfr. of application aware firewalls), FireEye (mfr. of virtual machine based security), Mandiant (provider of incident response) and others have already carved out extensive security market-share at Cisco’s expense. Time will tell if Cisco can actually integrate all the useful but disparate security related acquisitions to provide meaningful security for your SDN or whether they will leave the field open for the next generation of security upstarts. Phil Porras of SRI International mentions interesting security related use-cases for SDN like reflector nets, quarantine systems, emergency broadcasts & tarpits where SDN can be used to go beyond just blocking network attacks. It will be interesting to see if Cisco and Juniper can come up with imaginative solutions like these to adopters of their proprietary SDN solutions.


Categories: Network security, SDN