The use of application-level network segmentation is growing in popularity to protect enterprise data center servers as they become the new network edge. One of the data center’s biggest vulnerabilities is the IP traffic moving between servers, where attacks generally don’t encounter any internal security systems. Once cybercriminals find their entry point inside the data center, they have a foothold from which to move laterally and launch attacks on internal servers. These attacks are extremely difficult to detect and stop.
Now a solution has emerged in the form of a new, defense-in-depth security layer that binds each server’s hardware firewall to a central controller, protecting data centers against these lateral “east-west” attacks that have led to some of the world’s biggest and most damaging data breaches.
Anatomy of an East-West Attack
IT departments view all threats as originating externally, known as a “north-south” attack, which is only a portion of the problem. They also need to defend against east-west attacks that are implemented by attackers who access endpoints (desktops and laptops) via phishing, malware or click-bait, and then use these endpoints as beachheads for continuing their attacks laterally throughout the enterprise. According to the “Cisco Global Cloud Index,” this east-west traffic—including that within and between data centers—will represent 85 percent of total traffic associated with data centers by 2021.
An attack’s lateral movement has, until now, been extremely tough to defend against because the attacker is coming from a valid internal platform, often with hijacked credentials, and behaves like a trusted user. Verizon said in its 11th annual “Data Breach Investigations Report” that over a quarter (28 percent) of attacks during 2018 involved insiders. When these insiders have elevated privileges, which they often do, they almost always permanently erase audit trails.
Application-level network segmentation protects against these attacks by placing boundaries and alerts on all flows so that threats can be seen, classified and mitigated. The traditional approach of implementing application segmentation in software, though, generally requires 15,000-plus x86 cycles to act on flow anomalies and presents an attackable software surface. All seasoned hackers know how to disable the typical OS-based firewall. In contrast, integrated network protection solutions that utilize application segmentation in hardware can gather, transmit and act on flows in zero CPU cycles, with all operations protected within the server’s own tamper-resistant NIC platform. Once remote control is established, the local control plane for viewing and managing the NIC’s hardware filter table is torn down.
Implementing a Defense-in-Depth Hardware Layer
Today’s defense-in-depth hardware solutions combine built-in hardware firewalling with centralized security policy management capabilities. There is no software footprint that can be compromised by attacks or malware and the authenticity of all firmware is validated before loading. The entire platform is protected including the host, firmware and command-and-control framework and adapter. Attackers with root permission cannot modify or disable these solutions. They are essentially invisible to them since only production ports are visible on the network. All other server connections can be configured to provide zero information to attackers.
Once bound to the command-and-control portion of the solution, the solution’s adapter reports new application flows that are used for deriving new security policies and breaking them into individual firewall rules. It is impossible to locally modify the onboard filter tables, and even if attackers can escalate their privilege to superuser or administrator level, the local pathways for accessing the server’s adapter-based filters are physically torn down. If an adapter is tampered with, it will refuse to operate and issue an alert.
The latest defense-in-depth hardware solutions also minimize any impact on network performance. Their hardware firewall capabilities add no more than 200 to 700 nanoseconds (ns) of latency, making them up to 10 times faster than any firewall appliance. Additionally, they use a distributed hardware architecture that is inherently high-capacity and infinitely scalable. This ensures that, unlike traditional firewalls, they won’t create data chokepoints in the data center network that slow down applications.
The software approach to application-level network segmentation has helped to familiarize the industry with the benefits of centrally managing operating system-based server firewalls. Unfortunately, they have also created a vulnerable attack surface and added unacceptable latency to network operations. The advent of a hardware layer for defense-in-depth security protects vulnerable server-to-server IP traffic both within and between data centers. It enables data center operators to harden the new network edge: the server itself.