Scaling Network Security: RIP Moat

Posted under: Research and Analysis

Those young people today laugh at those with a couple of decades of experience when they rue about the good old days, when your network was snaked along the floors of your office (shout out for Thicknet!) and trusted users were on the corporate network and untrusted users were not.

Suffice it to say, the past 25 years have seen some rapid changes to the technology infrastructure. First of all, in a lot of cases, there aren’t even wires. That’s kind of a shocking concept to a former network admin who fixed a majority of problems by swapping out a patch cord. On the plus side, with the advent of wireless and broad network access, you can troubleshoot a network from the other side of the world.

DevOps Connect:DevSecOps @ RSAC 2022

We’ve also seen continued insatiable demand for network bandwidth. Networks grow to address that demand each and every year and has caused stresses on your ability to protect the network. Network security solutions still have to inspect and enforce policies, regardless of how fast the network. Looking for patterns of attack on network traffic requires a totally different amount of computing power. Thus, a key requirement is ensuring your network security controls can keep pace with the growth of network bandwidth, which may be mission impossible. Something has to give at some point, if the expectation remains that the network will be secure.

In this “Scaling Network Security” series, we are going to look at where secure networking started and why it needs to change. We’ll present the requirements for today’s network that will take you into the future. Finally we’ll wrap up the series with some architectural constructs that we believe will help you scale up your network security controls.

Before we get started, we’d like to thank Gigamon, who has agreed to be the first licensee of the content at the conclusion of the project. If you all aren’t familiar with our Totally Transparent Research methodology, it takes a forward looking company to let us do our thing without controlling the entire process. So we are grateful that we have many clients that are more focused on impactful and educational research than marketing sound bites or puff pieces about their products.

The Moat

Let’s take a quick tour through the past 20 years of network security. We appreciate the digression, as we old network security folks get a bit nostalgic when thinking about how far we’ve come. Back in the day, the modern network security industry really started with the firewall, which implemented access control on the network. Then a (seemingly) never-ending set of additional capabilities were introduced into network security.

Next was network intrusion detection (IDS), which looked for attacks on the network. Far from being dead at any point, IDS morphed into IPS (intrusion prevention) that added the ability to block attacks based on the policy. You also had a wave of application oriented capabilities introduced to the network in the form of application delivery controllers (ADC) and web application firewalls, which applied policies to scale the application and stop application attacks.

What did all of these capabilities have in common? They were all based on the concept that the adversary was out there. Facing an external adversary, you could dig a moat between them and your critical data to protect it. That was best illustrated with the concept of Default Deny, which was an important secure networking concept for many years. It basically held that if something wasn’t expressly authorized, it was denied. So if you didn’t set up access to an application or system, it was blocked. That meant we could dramatically reduce the attack surface by restricting access to only those devices that should be accessed.

is dead…

The moat worked great for a long time. Until it didn’t. There were a number of underlying technology shifts that chipped away at the underlying architecture, starting with the Web. Yeah, that was a big one.

The first was the encapsulation application traffic into web protocols (predominately Port 80 and 443) as the browser became the interface of choice for pretty much everything. Since firewalls were built to enforce access controls based on port and protocol, this was kind of problematic. Everything looked like web traffic, which you couldn’t really block, so the security usefulness of the traditional firewall was dramatically impacted, putting much more weight on the deeper inspection of IPS devices.

Yet the secure network would not go quietly into the long night, so a new technology emerged a decade ago which was unfortunately called the next generation firewall (NGFW). It actually provides far more capabilities than an access control device, providing the ability to peek into the application session, profile it, and both enforce policies and detect threats on an application by application level. These devices were more of a Network Security Gateway than a firewall, but we don’t come up with the category names, so it’s NGFW.

The advent of NGFW was a boon to customers that were very comfortable with their moat based architectures. So these folks have spent the last decade upgrading to the NGM architecture – Next Generation Moat.

Scaling is a Challenge

Yet as we described above, networks have continued to scale and this has increased the compute power required to implement a NGM. Yes, network processors have gotten faster, but not at the same rate as packet processors. Then you have the issue of the weakest link. If you have network security controls that cannot keep pace, you run the risk of dropping packets, missing attacks, or more likely both. To address this, you’d have to upgrade all of your network-based security controls at the same time as your network to ensure protection at peak usage. That really complicates the upgrade process. So your choice is between:

  1. $$$ and Complexity: Spend more money (multi-GB network security gateways aren’t cheap) and complicate the upgrade project to keep network and network security controls in lockstep.
  2. Oversubscribed security controls: You can always take the risk that even though the network is upgraded, bandwidth consumption takes some time to scale up beyond what the network security controls can handle.

Of course, you don’t want to have all of your eggs in one basket, or more accurately all of your controls focused on one area of the environment. That’s why you implemented compensating controls within the application stacks and on endpoint devices. But all the same, you’ll have to figure out an approach to ensure network security will scale.

Cloud is the Final Nail

Then the cloud happened. It’s basically the final nail in the coffin of the Moat architecture. Protecting the critical assets was difficult, but at least you knew where the data was. We’ll again point to our 1870s Man meme, that reminds us of the olden days when data was in the data center. Now it’s not clear what a data center is.

As organizations started adopting Software as a Service (SaaS) for things like customer relationship management, service desks, and even HR and accounting functions, network traffic dynamics started changing. This has been compounded with the widespread adoption of collaboration SaaS like Office 365 and G Suite. Employees were hitting web services for these critical business functions and not necessarily needing to be on the corporate network at all. Some organizations did force employees to route their traffic through the VPN (and therefore on the corporate network) to ensure it could be inspected and policies enforced, but that requires you to have sufficient ingress and egress bandwidth and capacity on the inspection points for all of this traffic. It’s just not the best way to protect those employees and data.

Further exacerbating this change in traffic dynamics is the adoption of Infrastructure as a Service (IaaS) offerings to initially supplement and then likely replace the corporate data center. You do have more control over how traffic is routed through IaaS and what security controls are in place, but the native cloud providers offer strong network security capabilities that don’t require bottlenecks and inspection points, and many cloud-native applications leverage these embedded security capabilities.

Remember the Moat is based on network security controls being inline and being able to inspect traffic and enforce access control policies and detect threats. And once again the secure network doesn’t go quietly, so many network security vendors now offer virtual network security devices for deployment in the cloud. We believe virtual firewalls are a stop gap measure, not a long term solution. The architecture of the cloud is based on broad network access and elasticity. Forcing network traffic to go through a series of inspection points is counter to those ideals.

Although we don’t believe the moat is going away tomorrow, given that on-premise networks are not going away anytime soon. As long as organizations have data in their data center and devices connecting to data from outside their organization, traditional network security is required, but clearly not sufficient to deal with tomorrow’s network security requirements.

So what now? Basically, we could jump to the end and describe our answer. But what fun would that be? Instead, we’ll actually build a case for the network security architectural constructs we think are important moving forward, and that starts with the requirements for a scaled secure network. That’ll be the topic of our next post.

– Mike Rothman
(0) Comments
Subscribe to our daily email digest

*** This is a Security Bloggers Network syndicated blog from Securosis Blog authored by [email protected] (Securosis). Read the original post at: