Are software-defined WAN security features sufficient to handle the demands of most enterprises? That’s the question addressed by author and engineer Christoph Jaggi, whose SD-WAN security concerns were cited in a recent blog post on IPSpace. The short answer? No — primarily because of the various connections that can take place over an SD-WAN deployment.
“The only common elements between the different SD-WAN offerings on the market are the separation of the data plane and the control plane and the takeover of the control plane by an SD-WAN controller,” Jaggi said. “When looking at an SD-WAN solution, it is part of the due diligence to look at the key management and the security architecture in detail. There are different approaches to implement network security, each having its own benefits and challenges.”
Organizations contemplating SD-WAN rollouts should determine whether prospective products meet important security thresholds. For example, products should support cryptographic protocols and algorithms and meet current key management criteria, Jaggi said.
Read what Jaggi had to say about the justification for SD-WAN security concerns.
Wireless ain’t nothing without the wire
You can have the fanciest access points and the flashiest management software, but without good and reliable wiring underpinning your wireless LAN, you’re not going to get very far. So said network engineer Lee Badman as he recounted a situation where a switch upgrade caused formerly reliable APs to lurch to a halt.
“I’ve long been a proponent of recognizing [unshielded twisted pair] as a vital component in the networking ecosystem,” Badman said. Flaky cable might still be sufficient in a Fast Ethernet world, but with multigig wireless now taking root, old cable can be the source of many problems, he said.
For Badman, the culprit was PoE-related and once the cable was re-terminated and tested anew, the APs again worked like a charm. A good lesson.
See what else Badman had to say about the issues that can plague a WLAN.
The long tail and DDoS attacks
Now there’s something new to worry about with distributed denial of service, or DDoS, attacks. Network engineer Russ White has examined another tactic, dubbed tail attacks, which can just as easily clog networking resources.
Unlike traditional DDoS or DoS attacks that overwhelm bandwidth or TCP sessions, tail attacks concentrate on resource pools, such as storage nodes. In this scenario, a targeted node might be struggling because of full queues, White said, and that can cause dependent nodes to shut down as well. These tail attacks don’t require a lot of traffic and, what’s more, are difficult to detect.
For now, tail attacks aren’t common; they require attackers to know a great deal about a particular network before they can be launched. That said, they are something network managers should be aware of, White added.
BOSTON — IT organizations that plan to tackle developer security skills as part of a DevSecOps shift have started to introduce tools and techniques that can help.
Many organizations have moved past early DevSecOps phases such as a ‘seat at the table‘ for security experts during application design meetings and locked-down CI/CD and container environments. At DevSecCon 2018 here this week, IT pros revealed they’ve begun in earnest to ‘shift security left’ and teach developers how to write more secure application code from the beginning.
“We’ve been successful with what I’d call SecOps, and now we’re working on DevSec,” said Marnie Wilking, global CISO at Orion Health, a healthcare software company based in Boston, during a Q&A after her DevSecCon presentation. “We’ve just hired an application security expert, and we’re working toward overall information assurance by design.”
Security champions and fast feedback shift developer mindset
Orion Health’s plan to bring an application security expert, or security champion, into its DevOps team reflects a model followed by IT security software companies, such as CA Veracode. The goal of security champions is to bridge the gap and liaise between IT security and developer teams, so that groups spend less time in negotiations.
“The security champions model is similar to having an SRE team for ops, where application security experts play a consultative role for both the security and the application development team,” said Chris Wysopal, CTO at CA Veracode in Burlington, Mass., in a presentation. “They can determine when new application backlog items need threat modeling or secure code review from the security team.”
However, no mature DevSecOps process allows time for consultation before every change to application code. Developers must hone their security skills to reduce vulnerable code without input from security experts to maintain app delivery velocity.
The good news is that developer security skills often emerge organically in CI/CD environments, provided IT ops and security pros build vulnerability checks into DevOps pipelines in the early phases of DevSecOps.
“If you’re seeing builds fail day after day [because of security flaws], and it stops you from doing what you want to get done, you’re going to stop [writing insecure code],” said Julie Chickillo, VP of information security, risk and compliance at Beeline, a company headquartered in Jacksonville, Fla., which sell workforce management and vendor management software.
Beeline built security checks into its CI/CD pipeline that use SonarQube, which blocks application builds if it finds major, critical or limiting application security vulnerabilities in the code, and immediately sends that feedback to developers. Beeline also uses interactive code scanning tools from Contrast Security as part of its DevOps application delivery process.
“It’s all about giving developers constant feedback, and putting information in their hands that helps them make better decisions,” Chickillo said.
Developer security training tools emerge
Application code scans and continuous integration tests only go so far to make applications secure by design. DevSecOps organizations will also use updated tools to further developer security skills training.
Mark FelegyhaziCEO, Avatao.com Innovative Learning Ltd
“Sooner or later, companies put security scanning tools in place, then realize they’re not enough, because people don’t understand the output of those tools,” said Mark Felegyhazi, CEO of Avatao.com Innovative Learning Ltd, a startup in Hungary that sells developer security skills training software. Avatao competitors in this emerging field include Secure Code Warrior, which offers gamelike interfaces that train developers in secure application design. Avatao also offers a hands-on gamification approach, but its tools also cover threat modeling, which Secure Code Warrior doesn’t address, Felegyhazi said.
Firms also will look to internal and external training resources to build developer security skills. Beeline has sent developers to off-site security training, and plans to set up a sandbox environment for developers to practice penetration testing on their own code, so they better understand the mindset of attackers and how to head them off, Chickillo said.
Higher education must take a similar hands-on approach to bridge the developer security skills gap for graduates as they enter the workforce, said Gabor Pek, CTO at Avatao, in a DevSecCon presentation about security in computer science curricula.
“Universities don’t have security champion programs,” Pek said. “Most of their instruction is designed for a large number of students in a one-size-fits-all format, with few practical, hands-on exercises.”
In addition to his work with Avatao, Pek helped create a bootcamp for student leaders of capture-the-flag teams that competed at the DEFCON conference in 2015. Capture-the-flag exercises offer a good template for the kinds of hands-on learning universities should embrace, he said, since they are accessible to beginners but also challenge experts.
Slack will soon give businesses an additional level of security by letting them manage their encryption keys. The feature will appeal to a small number of large organizations for now, but it could help the startup expand its footprint in the enterprise market.
Slack already encrypts the messages and files that flow through its premium platform for large businesses, called Enterprise Grid. Now, the vendor plans to give customers control of the keys that unlock that encryption.
“Enterprise key management is another significant step that Slack needs to take to meet increasing security demands — and according to their promise, without hurting speed or usability, [which are] common side effects of EKM,” said Wayne Kurtzman, analyst at IDC.
Slack touted the forthcoming feature as providing “all the security of an on-premises solution, with all the benefits of a cloud tool.” But the vendor clarified that the keys will be created and stored in Amazon’s public cloud.
“In the future, we may expand this offering to support an on-prem or private cloud [hardware security module] key store,” said Ilan Frank, director of Slack’s enterprise products.
Cisco Webex Teams lets businesses manage encryption keys on premises or in the cloud. It also provides end-to-end encryption. In contrast, Slack only encrypts data in transit and at rest, which means the data may get decrypted at certain routing points in the cloud.
Slack has no plans to change its encryption model, Frank said, citing potential “usability drawbacks” related to search and advanced app and bot features.
Symphony also offers end-to-end encryption and enterprise key management. Its team collaboration app has found a niche among banks and other financial firms, which generally have strict compliance and regulatory standards.
“I think, from Slack’s case, it’s a good first step in allowing customers to control their own keys,” said Zeus Kerravala, founder and principal analyst at ZK Research in Westminster, Mass. But Slack should also ensure businesses can store those keys in their own data centers and eventually pursue end-to-end encryption, he said.
Slack’s enterprise key management feature will be particularly useful for external communications done through Slack, said Alan Lepofsky, a vice president and principal analyst at Constellation Research, based in Cupertino, Calif.
When partners communicate through a shared channel in Slack, the company that established the channel will have control over the encryption keys.
“I think this will be a very important use case, as it’s that external communication where you really want to ensure security and privacy,” Lepofsky said.
Slack expects to make enterprise key management available for purchase to Enterprise Grid customers sometime this winter.
Slack looks to appeal to more large enterprises
Slack launched Enterprise Grid last year in an attempt to expand beyond its traditional base of teams and small businesses. The platform lets large organizations unify and manage multiple Slack workspaces.
Election security continues to be a hot topic, as the 2018 midterm elections draw closer. So, the Voting Village at DEF CON 26 in Las Vegas wanted to re-create and test every aspect of an election.
Jake Braun, CEO of Cambridge Global Advisors, based in Arlington, Va., and one of the main organizers of the DEF CON Voting Village, discussed the pushback the event has received and how he hopes the event can expand in the future.
What were the major differences between what the Voting Village had this year compared to last year?
Jake Braun: The main difference is it’s way bigger. And we’ve got, end to end, the voting infrastructure. We’ve got voter registration, a list of voters in the state of Ohio that are in a cyber range that’s basically like a county clerk’s network. Cook County, Illinois, their head guy advised us on how to make it realistic [and] make it like his network. We had that, but we didn’t have the list of voters last year.
That’s the back end of the voter process with the voter infrastructure process. And then we’ve got machines. We’ve got some new machines and accessories and all this stuff.
Then, on the other end, we’ve got the websites. This is the last piece of the election infrastructure that announces the results. And so, obviously, we’ve got the kids hacking the mock websites.
What prompted you to make hacking the mock websites an event for the kids in R00tz Asylum?
Braun: It was funny. I was at [RSA Conference], and we’ve been talking for a long time about, how do we represent this vulnerability in a way that’s not a waste of time? Because the guys down in the [Voting Village], hacking websites is not interesting to them. They’ve been doing it for 20 years, or they’ve known how to do it for 20 years. But this is the most vulnerable part of the infrastructure, because it’s [just] a website. You can cause real havoc.
I mean, the Russians — when they hacked the Ukrainian website and changed it to show their candidate won, and the Ukrainians took it down, fortunately, they took it down before anything happened. But then, Russian TV started announcing their candidate won. Can you imagine if, in November 2020, the Florida and Ohio websites are down, and Wolf Blitzer is sitting there on CNN saying, ‘Well, you know, we don’t really know who won, because the Florida and Ohio websites are down,’ and then RT — Russian Television — starts announcing that their preferred candidate won? It would be chaos.
Anyway, I was talking through this with some people at [RSA Conference], and I was talking about how it would be so uninteresting to do it in the real village or in the main village. And the guy [I was talking to said], ‘Oh, right. Yeah. It’s like child’s play for them.’
I was like, ‘Exactly, it’s child’s play. Great idea. We’ll give it to R00tz.’ And so, I called up Nico [Sell], and she was like, ‘I love it. I’m in.’ And then, the guys who built it were the Capture the Packet guys, who are some of the best security people in the planet. I mean, Brian Markus does security for … Aerojet Rocketdyne, one of the top rocket manufacturers in the world. He sells to [Department of Defense], [Department of Homeland Security] and the Australian government. So, I mean, he is more competent than any election official we have.
The first person to get in was an 11-year-old girl, and she got in in 10 minutes. Totally took over the website, changed the results and everything else.
How did it go with the Ohio voter registration database?
Braun: The Secretaries of State Association criticized us, [saying], ‘Oh, you’re making it too easy. It’s not realistic,’ which is ridiculous. In fact, we’re protecting the voter registration database with this Israeli military technology, and no one has been able to get in yet. So, it’s actually probably the best protected list of voters in the country right now.
Have you been able to update the other machines being used in the Voting Village?
Braun: Well, a lot of it is old, but it’s still in use. The only thing that’s not in use is the WinVote, but everything else that we have in there is in use today. Unlike other stuff, they don’t get automatic updates on their software. So, that’s the same stuff that people are voting on today.
Have the vendors been helpful at all in providing more updated software or anything?
Braun: No. And, of course, the biggest one sent out a letter in advance to DEF CON again this year saying, ‘It’s not realistic and it’s unfair, because they have full access to the machines.’
Do people think these machines are kept in Fort Knox? I mean, they are in a warehouse or, in some places, in small counties, they are in a closet somewhere — literally. And, by the way, Rob Joyce, the cyber czar for the Trump administration who’s now back at NSA [National Security Agency], in his talk [this year at DEF CON, he basically said], if you don’t think that our adversaries are doing exactly this all year so that they know how to get into these machines, your head is insane.
The thing is that we actually are playing by the rules. We don’t steal machines. We only get them if people donate them to us, or if we can buy them legally somehow. The Russians don’t play by the rules. They’ll just go get them however they want. They’ll steal them or bribe people or whatever.
They could also just as easily do what you do and just to get them secondhand.
Braun: Right. They’re probably doing that, too.
Is there any way to test these machines in a way that would be acceptable to the manufacturers and U.S. government?
Braun: The unfortunate thing is that, to our knowledge, the Voting Village is still the only public third-party inspection — or whatever you want to call it — of voting infrastructure.
Jake BraunCEO of Cambridge Global Advisors
The vendors and others will get pen testing done periodically for themselves, but that’s not public. All these things are done, and they’re under [nondisclosure agreement]. Their customers don’t know what vulnerabilities they found and so on and so forth.
So, the unfortunate thing is that the only time this is done publicly by a third party is when it’s done by us. And that’s once a year for two and a half days. This should be going on all year with all the equipment, the most updated stuff and everything else. And, of course, it’s not.
Braun: Yes. This is why DEF CON is so great, because everybody is here. I was just talking to them yesterday, and they were like, ‘Hey, can you get us the report as soon as humanly possible? Because we want to take it into consideration as we are putting together our guidelines.’ And they said they used our report last year, as well.
How have the election machines fared against the Voting Village hackers this year?
Braun: Right, of course, they were able to get into everything. Of course, they’re finding all these new vulnerabilities and all this stuff.
The greatest thing that I think came out of last year was that the state of Virginia wound up decommissioning the machine that [the hackers] got into in two minutes remotely. They decommissioned that and got rid of the machine altogether. And it was the only state that still had it. And so, after DEF CON, they had this emergency thing to get rid of it before the elections in 2017.
What’s the plan for the Voting Village moving forward?
Braun: We’ll do the report like we did last year. Out of all the guidelines that have come out since 2016 on how to secure election infrastructure, none of them talk about how to better secure your reporting websites or, since they are kind of impossible to secure, what operating procedures you should have in place in case they get hacked.
So, we’re going to include that in the report this year. And that will be a big addition to the overall guidelines that have come out since 2016.
And then, next year, I think, it’s really just all about, what else can we get our hands on? Because that will be the last time that any of our findings will be able to be implemented before 2020, which is, I think, when the big threat is.
A DEF CON spokesperson said that most of the local officials that responded and are attending have been from Democratic majority counties. Why do you think that is?
Braun: That’s true, although [Neal Kelley, chief of elections and registrar of voters for] Orange County, attended. Orange County is pretty Republican, and he is a Republican.
But I think it winds up being this functionally odd thing where urban areas are generally Democratic, but because they are big, they have a bigger tax base. So then, the people who run them have more money to do security and hire security people. So, they kind of necessarily know more about this stuff.
Whereas if you’re in Allamakee County, Iowa, with 10,000 people, the county auditor who runs the elections there, that guy or gal — I don’t know who it is — but they are both the IT and the election official and the security person and the whatever. You’re just not going to get the specialized stuff, you know what I mean?
Do you have any plans to try to boost attendance from smaller counties that might not be able to afford sending somebody here or plans on how to get information to them?
Braun: Well, that’s why we do the report. This year, we did a mailing of 6,600 pieces of mail to all 6,600 election officials in the country and two emails and 3,500 live phone calls. So, we’re going to keep doing that.
And that’s the other thing: We just got so much more engagement from local officials. We had a handful come last year. We had several dozen come this year. None of them were public last year. This year, we had a panel of them speaking, including DHS [Department of Homeland Security].
So, that’s a big difference. Despite the stupid letter that the Secretary of State Association sent out, a lot of these state and local folks are embracing this.
And it’s not like we think we have all the answers. But you would think if you were in their position and with how cash-strapped they are and everything, that they would say, ‘Well, these guys might have some answers. And if somebody’s got some answers, I would love to go find out about those answers.’
SAN FRANCISCO — Box shops will have the ability to get granular with a new built-in Box security feature, but organizations will have to find a role for the tool alongside their other security platforms.
Box Shield, which was introduced at the file-sharing company’s annual conference, BoxWorks, will detect anomalies and risky user behavior within Box. Experts here discussed the potential behind Box Shield and how it might integrate with existing security and identity management tools within businesses.
“Security is such a tough problem,” said James Sinur, vice president at Aragon Research, based in Morgan Hill, Calif. “I haven’t found any security software that covers all aspects of it.”
How Box Shield works
Box Shield has three main functionalities: smart access, anomaly detection and a content firewall.
James Sinurvice president at Aragon Research
Smart access enables end users and IT admins to classify Box files according to their level of confidentiality. Then, IT admins can apply policies based on those classifications.
Anomaly detection helps IT to discover compromised accounts and identify access abuse. For example, if an end user accesses Box from Guatemala and downloads large amounts of data, Box Shield will flag that as risky behavior.
The content firewall feature can go beyond two-factor authentication to verify external users and check the security of devices.
IT can also use Box Shield to uncover historical data about a user’s activity and access analytics about their behavior.
Box Shield tries to play nice with other security
Sinur said he expects customers to use Box Shield in conjunction with other security platforms.
“Where I think [Box] will make their contribution is by adjusting policies that govern those pieces of [content],” he said.
Box is well-known for a plethora of integrations with third-party platforms — from Google and Slack to Microsoft and Okta. The company is already identifying places where Box Shield would integrate with other cloud access security broker (CASB) services, CEO Aaron Levie said in a press conference. Customers with an existing security information management tool, for example, would be able to use Box Shield in conjunction with it, he said.
An IT security analyst at a financial institution who wanted to remain anonymous was very interested in the new tool. His company already has several security technologies in place, such as Symantec and Okta, and would use Box Shield in addition to those services, he said.
“From a nonmanaged versus managed device, it would help us keep track of what’s going in and what’s going out based off of the device control,” he added.
VMware has introduced features that improve the use of its NSX network virtualization and security software in private and public clouds.
At VMworld 2018 in Las Vegas, VMware unveiled an NSX instance for AWS Direct Connect and technology to apply NSX security policies on Amazon Web Services workloads. Also, VMware said Arista Networks’ virtual and physical switches would enforce NSX policies — the result of a collaboration between the two vendors.
The latest AWS feature is in NSX-T Data Center 2.3, which VMware introduced at VMworld. Other features added to the newest version of NSX-T include support for containers and Linux-based workloads running on bare-metal servers. NSX-T uses Open vSwitch to turn a Linux host into an NSX-T transport node and to provide stateful security services.
VMware plans to release NSX-T 2.3 by November.
NSX on AWS Direct Connect
To help companies connect to AWS, VMware introduced integration between NSX and AWS Direct Connect. The combination will provide NSX-powered connectivity between workloads running on VMware Cloud on AWS and those running on a VMware-based private cloud in the data center.
AWS Direct Connect lets companies bypass the public internet and establish a dedicated network connection between a data center and an AWS location. Direct Connect is particularly useful for companies with rules against transferring sensitive data across the public internet.
Finally, VMware introduced interoperability between Arista’s CloudVision and NSX. As a result, companies can have NSX security policies enforced on Arista switches running either virtually in a public cloud or the data center.
Arista CloudVision manages switching fabrics within multiple cloud environments. Last year, the company released a virtualized version of its EOS network operating system for AWS, Google Cloud Platform, Microsoft Azure and Oracle Cloud.
VMware is using its NSX portfolio to connect and secure infrastructure and applications running in the data center, branch office and public cloud. For the branch office, VMware has integrated NSX with the company’s VeloCloud software-defined WAN to provide microsegmentation for applications at the WAN’s edge.
VMware competes in multi-cloud networking with Cisco and Juniper Networks.
Cisco has introduced Meraki MX security appliances with a built-in 4G wireless broadband modem. The company also added the Long Term Evolution, or LTE, modem to a new Z-series teleworker gateway.
This week, Cisco launched the Meraki MX67C and MX68CW with an integrated CAT 6 LTE cellular modem. Also, Cisco unveiled four MX models – the MX67, MX68, MX67W and MX68W — without LTE but with more throughput than older models. All the new MX hardware, which are the first in the Meraki line to support the 802.11ac Wave 2 Wi-Fi standard, can deliver up to 450 Mbps of firewall throughput.
Network admins manage Cisco Meraki switches, appliances and access points through a web-based console called the Meraki Dashboard, which also provides automation and analytics. Cisco has aimed the product line at small branch offices and retailers that need a no-frills wireless LAN. For an access layer that meets the need of larger enterprises, Cisco offers the Aironet APs and Catalyst switches.
MX appliances are unified threat management devices with software-defined WAN functionality. A UTM system combines and integrates multiple security services and features, including a firewall.
Uses for LTE in the Meraki MX
The higher throughput in the latest MX appliances is aimed at companies accessing SaaS applications, such as Microsoft Office 365, said Imran Idrees, a marketing manager in Cisco’s Meraki unit. Remote branch offices can use the LTE modem as a substitute for broadband when it isn’t available.
Companies could also use the LTE connection as a failover link, Idrees said. If the Ethernet connection goes down, then the MX would switch to LTE.
“Given the ubiquity and increasing performance of LTE, this is a relatively inexpensive way for a branch office to increase its network availability,” said Mark Hung, an analyst at Gartner.
The cellular MX models have one Nano SIM card slot for connecting to a carrier’s LTE network. The built-in modem makes it possible track usage and performance of the MX from the Meraki Dashboard.
Getting LTE on older Meraki MX models required companies to plug a carrier-provided USB stick that contained the 4G modem. Because the modem wasn’t integrated with the MX, no data was captured for tracking performance.
With the latest models, data captured from the LTE connection includes signal strength, the provider’s name and how much data is traveling over the link. All the information is displayed on the Meraki Dashboard.
The Z3C gateway
The Z3C teleworker gateway is for workers who need a secure connection to the corporate network while they are on the road. “It’s a very compact device that a business person would take around with them,” Idrees said.
The previous version of the gateway, Z3, required a traveler to plug a hotel room’s Ethernet cable into the device to gain access to the corporate network. The Z3C has the option of connecting over LTE.
Companies that want to use a Meraki WLAN have to purchase the product line’s devices and a cloud subscription license. Once the license is registered, network managers can configure and manage the hardware through the Meraki Dashboard.
Google’s disclosure policy and Android security in general came under question after the company disclosed a flaw in the Android installer for the world’s most popular game, Fortnite. The flawed installer is only for Android users because Fortnite developer Epic Games bypassed security protections available for apps distributed through the Google Play Store, in order to maximize profits and avoid paying distribution fees to Google.
On Friday, Google disclosed the Fortnite vulnerability and described it as a risk for a man-in-the-disk attack where any “fake [Android Package Kit] with a matching package name can be silently installed” by the Fortnite installer. Google disclosed the flaw to Epic Games on Aug. 15, and Epic had produced a patch within 24 hours.
After testing the patch and deploying it to users on Aug. 16, Epic asked Google on the issue tracker page if they could have “the full 90 days before disclosing this issue so our users have time to patch their devices.” Google did not respond on the issue tracker until Aug. 24, when it noted that “now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices.”
Epic Games founder Tim Sweeney accused Google on Twitter of wanting “to score cheap PR points” by disclosing the Fortnite vulnerability because Epic Games had released the game outside of the Google Play Store.
Epic Games had previously claimed the reason for not releasing Fortnite for Android through the Play Store was twofold: to maintain a “direct relationship” with customers and to avoid the 30% cut Google would take from in-app purchases. Security experts immediately expressed skepticism about the move because of the security checks in Android that need to be turned off in order to sideload an app from outside of the Play Store and the risk of malicious fakes.
Sweeney admitted on Twitter that the Fortnite vulnerability was Epic’s responsibility, but took issue with Google’s fast disclosure.
I grant that Google finding a flaw in our software and sourcing stories about the fact of it is a valid PR strategy.
But why the rapid public release of technical details? That does nothing but give hackers a chance to target unpatched users.
Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said that “from a security perspective there’s no right or wrong in this scenario.”
Liviu Arsenesenior e-threat analyst, Bitdefender
“As soon as the vulnerability was reported, Epic fixed [it] within 24 hours, which is commendable, and then Google publicly disclosed it according to their policy. Technically, users are now safe and informed regarding a potential security vulnerability that could have endangered their privacy and devices,” Arsene wrote via email. “Granted, not all users will receive and install the update instantly, but the same can be said for most security patches and updates. As long as Epic is committed to delivering patches for their apps, regardless if they’re in Google Play or not, and Google is committed to finding and responsibly disclosing vulnerabilities, security is enforced and users are the ones that benefit most.”
Kubernetes security tools have proliferated in 2018, and their growing numbers reflect increased maturity around container security among enterprise IT shops.
The latest additions to this tool category include a feature in Google Kubernetes Engine called Binary Authorization, which can create whitelists of container images and code that are authorized to run on GKE clusters. All other attempts to launch unauthorized apps will fail, and the GKE feature will document them.
Binary Authorization is in public beta. Google will also make the feature available for on-premises deployments through updates to Kritis, an open source project focused on deployment-time policy enforcement.
Aqua Security also added to the arsenal of Kubernetes security tools at IT pros’ disposal with an open source utility, called kube-hunter, which can be used for penetration testing of Kubernetes clusters. The tool performs passive scans of Kubernetes clusters to look for common vulnerabilities, such as dashboard and management server ports that were left open. These seemingly obvious errors have taken down high-profile companies, such as Tesla, Aviva and Gemalto.
Users can also perform active penetration tests with kube-hunter. In this scenario, the tool attempts to exploit the vulnerabilities it finds as if an attacker has gained access to Kubernetes cluster servers, which may highlight additional vulnerabilities in the environment.
These tools join several other Kubernetes security offerings introduced in 2018 — from Docker Enterprise Edition‘s encryption and secure container registry features for the container orchestration platform to Kubernetes support in tools from Qualys and Alert Logic. The growth of Kubernetes security tools indicates the container security conversation has shifted away from ways to secure individual container images and hosts to security at the level of the application and Kubernetes cluster.
“Containers are not foolproof, but container security is good enough for most users at this point,” said Fernando Montenegro, analyst with 451 Research. “The interest in the industry shifts now to how to do security at the orchestration layer and secure broader container deployments.”
GKE throws down the gauntlet for third-party container orchestration tools
Fernando Montenegroanalyst, 451 Research
Google’s Binary Authorization feature isn’t unique; other on-premises and hybrid cloud Kubernetes tools, such as Docker Enterprise Edition, Mesosphere DC/OS and Red Hat OpenShift, offer similar capabilities to prevent unauthorized container launches on Kubernetes clusters.
However, third-party vendors once again find themselves challenged by a free and open source alternative from Google. Just as Kubernetes supplanted other container orchestration utilities, these additional Kubernetes management features further reduce third-party tools’ competitiveness.
GKE Binary Authorization is one of the first instances of a major cloud provider adding such a feature natively in its Kubernetes service, Montenegro said.
“[A gatekeeper for Kubernetes] is not something nobody’s thought of before, but I haven’t seen much done by other cloud providers on this front yet,” Montenegro said. AWS and Microsoft Azure will almost certainly follow suit.
“The question for users, as cloud providers add these features, is, why go for a third-party tool when the cloud provider does this kind of thing themselves?” Montenegro said.
Aqua Security’s penetration testing tool is unlikely to unseat full-fledged penetration testing tools enterprises use, such as Nmap and Burp Suite, but its focus on Kubernetes vulnerabilities specifically with a free offering will attract some users, Montenegro said.
Aqua Security and its main competitor, Twistlock, also must stay ahead of Kubernetes security features as they’re incorporated into broader enterprise platforms from Google, Cisco and others, Montenegro said.
Arista Networks has added to its CloudVision management console the ability to apply security policies across virtualized switching fabrics running on Amazon Web Services, Google Cloud and Microsoft Azure.
Arista also introduced this week an integration between Arista CloudVision and NSX, VMware’s software for provisioning virtualized networks. The combination lets engineers take security policies created in NSX and apply them to Arista switches running in the data center.
The latest features come about a year after Arista introduced a virtualized version of its network operating system, called vEOS, for AWS, Google and Azure. At the time, Arista added some vEOS controls to CloudVision, which competes with Cisco CloudCenter.
The new multi-cloud feature within Arista CloudVision lets engineers modify the access control lists (ACLs) in vEOS switches, said Jeff Raymond, vice president of EOS product management. The capability, which the vendor calls Zone Segmentation Security, eliminates having to worry about the unique security mechanisms in each of the three public clouds.
Companies often create virtual networks in the public clouds to deliver security, load balancing and other services to applications. Amazon and Google call the networks Virtual Private Clouds (VPCs) while Microsoft refers to them as virtual networks (VNet).
Arista has integrated its Zone Segmentation feature with Zscaler’s cloud-based web gateway. The integration lets companies use Zscaler to apply security policies for traffic heading from a campus network or remote office to the cloud provider. Arista CloudVision applies policies to traffic flowing between and within virtual networks.
Overall, Arista is using CloudVision to address a trend toward more collaboration between corporate networking and security teams, said Shamus McGillicuddy, an analyst at Enterprise Management Associates, based in Boulder, Colo. A recent EMA survey found that 91% of security and network infrastructure teams were working together using shared or integrated tools.
The latest Arista offerings also show the vendor recognizes its customers need security that stretches from the private data center to the public cloud, said Bob Laliberte, an analyst at Enterprise Strategy Group, based in Milford, Mass. “Building out a strong security ecosystem will be critical, and delivering a capable management platform for hybrid cloud environments will be important for its customers to effectively manage those hybrid environments.”
VMware NSX integration with Arista CloudVision
The NSX integration bridges the gap between VMware virtual networks and Arista physical switches in the data center. With CloudVision, engineers will be able to take security policies created for NSX environments and apply them to workloads running on the hardware.
NSX policies define the network resources accessible to groups of workloads and applications running on the virtual network. CloudVision applies those policies to an Arista fabric by converting them into a format that can become a part of the switch’s ACL.
As a result, engineers can save time by using just NSX for creating security policies, according to Raymond.
New hardware-based encryption in Arista routers
Finally, Arista plans to release four routers with built-in support for encryption standards. For the enterprise WAN, Arista embedded hardware-based IPSec in the 7020SRG for site-to-site virtual private networks. The router is a 10 GbE platform.
For the data center interconnect, Arista will provide MACsec encryption in the new 7280CR2M and the 7280SRAM. Both routers offer wire-speed encryption with 10 GbE and 100 GbE for up to 100 kilometers. For MACsec encryption up to 2,500 km, Arista introduced the 7280SRM, which has 200 GbE Coherent interfaces for metro and long-haul links.
Arista plans to release all the new technology by the end of September.
Arista sells its products primarily to tier-one and tier-two service providers, financial institutions and high-tech companies, including Microsoft, Amazon and Facebook.
Recently, however, the company has aimed some new hardware at enterprises with more mainstream data centers. In May, for example, the company introduced switches for the campus LAN.