Author: Jason Minto, Cybersecurity Technical Director
Computer networking today is evolving from traditional physical networks to a combination of traditional and software-defined networks. With this evolution, new networks weave together software and hardware into increasingly tight connections, creating network “fabrics” within private organizations and federal agencies. These fabrics enable the rapid speed and scale enjoyed in today’s modern computing environment. However, because they require large numbers of links between redundant fail-back resources and geographically dispersed facilities, fabric networks also present myriad security vulnerabilities we are only beginning to understand. The migration of many enterprises and applications to the cloud has only accelerated the use—and vulnerability—of network fabrics.
The need for organizations to protect their emerging fabric of interwoven networks is increasingly urgent. Nowhere is this truer than in the Federal Government. In June 2019, OMB mandated that agencies expedite their move to the cloud. OMB’s strategy is to drastically reduce its information technology (IT) spending by leveraging cloud computing commodity resources available through the internet. The strong language of the OMB mandate has forced some agencies to expedite transfer of their resources to the cloud. The faster an agency transitions to the cloud, however, the greater the risk to the agency’s networks from nefarious intrusions. This risk resulting from increased migration to the cloud reinforces the need to rapidly develop solutions capable of defending fabric networks.
But how do you know if you have a fabric network? If you have a fabric network, how do you defend it? We’ll examine both questions in this article.
How do I know if I Have a Fabric Network?
Many different elements comprise fabric networks, but the fundamental features of fabric networks are similar. They are composed of multiple systems of different origin interacting with one another; they are increasingly reliant on SaaS and PaaS tools and systems; and they are partially or fully migrated to the cloud. While it may seem odd to include cloud hosting solutions as part of a fabric network, these solutions often enable virtual networking and virtual computing. Most cloud hosting solutions are also geographically distributed for failover prevention and uptime preservation. Cloud solutions often contain “hidden” fabric elements that you need to examine to determine whether you indeed have a fabric network.
The easiest way to determine if you have a fabric network (or are beginning to have one) is to ask yourself three questions:
- Am I using an on-premise cloud solution?
- Do I have interdependent SaaS or PaaS capabilities, products, or solutions?
- Is my security team monitoring my redundant security devices throughout my network infrastructure?
The Current State of Fabric Defense
Software Designers and Developers are far more security conscious today than when virtual computing was first developed. Initially, virtual networks were wide open; any routable network traffic could pass across virtual pipes. Now, however, systems like OpenStack’s software network service, “Neutron,” go to great lengths to make networking restrictive. Features like port-level security are hard requirements that are baked into today’s virtual networks. While Neutron helps ensure that networks are secure by default, there is still plenty of opportunity for security breaches. OpenStack is open by nature; someday, a fabric defense solution could be placed in line with its virtual networking. However, this solution is not yet being implemented.
Unfortunately, fabric defense has not evolved with the same speed as virtual computing or fabric networks; additionally, solutions that have emerged in the marketplace are less than ideal. Available solutions often provide an illusion of security by obfuscating contents of a fabric network from non-native traffic rather than truly hardening network defenses. “Security by obscurity” is not an effective protection mechanism against hackers.
Other fabric solutions are proprietary and very costly, requiring installation of either network appliances or software. No solutions for protecting fabric networks have been adopted industry-wide. No industry-wide standards have been published that explain how to properly apply a truly effective fabric defense. Open standards do exist, but they have not been widely adopted. In fact, at both Black Hat and Defcon 2019, presenters showed that many proprietary fabrics may be breached because the costly hardware or software available today does not offer the needed levels of protection.
So, if No Options Exist Today, How do I Defend My Fabric?
Put simply, fabric defense is the defense of networks created by virtual and cloud computing enabled by as-a-service offerings and geographically dispersed cloud hosting. This is most easily done by securing as many fibers and linkages within the fabric network as possible. To simplify the discussion of a complex topic, consider the use of the common commercial product Scotchgard™. Scotchguard protects our clothing, upholstered furniture, and carpets by binding to the fabrics to which it is applied, forming a layer of protection on each fiber. This layer of protection repels spills and facilitates cleanup. We can secure fabric networks in a similar way using small, easily installed, and cost-effective appliances in fabric networks at critical nodes, or every node, to ensure that only native traffic uses the network. This concept is analogous to Scotchgard’s ability to repel spills. Non-native traffic is “repelled” at the point of entry, regardless of where in the fabric attempted intrusions occur because of the many nodes to which the appliance is applied. These small, easily bolted-on appliances can be largely autonomous “traffic cops” at all major intersections of the fabric. Should an intrusion occur, similar to Scotchgard, cleanup is much simpler because the non-native traffic is contained or quarantined.
The future of fabric defense is small devices that operate in dense network environments containing multiple network switches and software networks. A small device may operate in such an environment and provide a modest alerting or traffic enforcement capacity. By deploying small, simple, easily installed, and largely autonomous “network cops” with just enough processing power to do their jobs, organizations can buy the number of appliances they need without breaking the bank. This solution is effective yet runs contrary to current practices that recommend significant processing power and resources to protect our networks. In this instance, bigger is not better; it is actually less productive technically and financially. Network vendors are keen to endorse a strategy of larger, more intense processing power solutions because those solutions are more profitable. However, the volume of network equipment required, and its associated cost make investments in large powerful systems untenable. A smaller form factor, limited to targeted capabilities, will work just as well to protect network fabrics of all sizes and complexities.
If your company or agency answers the questions in this document and concludes that you have, or are beginning to have, a “fabric network,” you need to begin investigating network fabric defense technologies. Although these technologies are not yet widely available, and those that are in the marketplace are limited in their utility, it is never too soon to start planning for them. It is incumbent on all Chief Information Officers, Information System Security Officers, and others with responsibility for fabric network protection to remain abreast with the rapidly-evolving technologies that can defend those networks. Budgets are needed for these new technologies to protect the significant investments that have already made into highly integrated, fast, cloud-based networks and to ensure that future investments are not compromised by security threats.