From Security Products to Security Systems, and Now: Security Networks
We all know that servers virtualization technologies have matured already and many networks adapt them in order to more efficiently meet today’s business needs.
With the Software Defined Networking trends and NFV (Network Function Virtualization) initiative that proposes a design approach for building complex IT applications, we see a similar process of adapting network technologies to be more business efficient well. These technological movements in the IT infrastructure created potential for rapid innovation in network and application security.
On the other hand, security challenges have significantly increased as well. Focusing more on availability-based attacks, as seen in the figure below, the security friction surfaces are now wider than ever, and much more dynamic for enterprises, cloud service providers and carrier organizations:
• The service providers peering points (SP perimeter) are under volumetric DDoS attack threats which have the potential to disrupt their overall operations and customer services.
• The enterprises’ businesses networks service edges are under the threat of multi-vector attacks, which aim to saturate the business internet pipe, misuse the resources of the internal network’s stateful elements (e.g., firewalls, load balancers, intrusion prevention devices) through network state attacks and misuse the business application resources through various state-based applications.
• The cloud hosting perimeter become much more complex as the security friction surface is now multiplied by the number of internally hosted “business tenants”, while each tenant is actually exposed to the same multi-vector attack described above.
The following illustrates an even bigger problem at the cloud:
• An attack on one tenant can impact the entire cloud infrastructure and any other tenant (especially if it is a network volumetric one).
• The new security friction surface now becomes much more complex to control as the number of tenants can reach an enormous number, their resources are usually virtualized (dynamic and elastic) and each tenant can be transformed into a “malicious tenant” or a network of malicious tenants, and start attacking the tenants at the same cloud, on other business networks and at the carrier network itself.
Looking at the above, I don’t think there is any doubt that there is a need, now more than ever, to present a holistic solution approach to this problem. Holistic in the sense that the network itself needs to be part of the security service allowing:
• Security monitoring capabilities at various network points that can adapt and change their characteristics per potential risk
• A security control system that will provide a situation awareness in a very wide sense based on these monitoring inputs
• Network mitigation capabilities that will allow the network itself to be “programmed” to act against and according to the risk .e.g., quarantine infected tenants, deploy distributed ACLs, isolate network tenant’s routes, redirect suspicious traffic into security scrubbing centers and more.
So, although the security threats and the complexity in controlling them has become much more challenging than before, the same technologies (cloud virtual environments, network virtualization and software defined networks) that really contribute to this complexity, are also the technologies that potentially need to be used for solving it.
Security applications that will know how to use the new programmable nature of the servers and network virtual environments are key for these solutions. The old approach of just deploying more and more security devices and systems as part of the network data-plane will probably be much more expensive and will not do the job. The time has come for Attack Mitigation Adaptive Networks.
Avi Chesla is Chief Technology Officer at Radware, where he is responsible for leading the Company’s strategic technology roadmap and vision. Prior to the CTO position, he led Radware’s security division as VP of Security. Mr. Chesla has authored a number of articles for major publications in the areas of advanced network behavioral analysis and information security and has earned numerous patents in these areas. His views on industry trends and best practices have been featured in articles, white papers, and on the conference speaking circuit. He holds a B.S. in physics and mathematics from Tel Aviv University.Previous Columns by Avi Chesla:Why We Need Attack Mitigation Adaptive Networks Needed: A Quadrant for Attack Mitigation Systems ServicesNext Generation Mobile Networks Come with Next Generation Security ThreatsSoftware Defined Networking – A New Network Weakness?5 Threat Trends and 5 Defense Trends for 2013
Tags: INDUSTRY INSIGHTS