Last week I blogged about the rise of more sophisticated exploits and what they mean for data center security. This time let me articulate what I think are the 5 critical requirements for data center intrusion prevention and help the discussion focus on what will be needed going forward.
At RSA earlier this month several speakers mentioned the need for more application layer security, to compensate for the increasingly sophisticated evasions now penetrating the perimeter firewalls and UTM. These attacks risk all major enterprise IT initiatives because they can severely compromise the availability and integrity of the data center.
But rather contribute to the confusion with a general platitude about the application layer becoming more important let me list the 5 capabilities that I think will really make a difference in increasing service availability and security: 1) accuracy; 2) comprehensive intelligence (protocol, service, flow and vulnerability); 3) appropriate response; 4) exception-based inspection and 5) virtsec readiness.
1- ACCURACY – No False Positives
Effective security always starts with accuracy, or the ability to discriminate between exploits and innocent traffic. For most data centers the vast majority of traffic is innocent, so the ability for a system to identify and act on only real attacks frees up tremendous people and processing resources for taking appropriate and proactive actions when real attacks occur.
Unfortunately, most leading network intrusion prevention systems do no discriminate very well, and produce ongoing volumes of false alarms. Relying on deep packet pattern match detection generates inordinate levels of false alarms and distracts people and processing cycles with unproductive use of limited resources. When you only alert (on suspicious activity versus real exploits) you put security teams in a reactive and less productive mode.
In some cases security teams actually have to turn off certain types of intrusion prevention protection because of the escalating processing and management requirements inherent with a particular means of detection. In other cases signatures or heuristics are turned off because they aren’t reliable enough indicators of an exploit. Whether it’s because of processing requirements and latency or false alarms ultimately a data center security posture becomes compromised by network IPS accuracy challenges.
Yet data centers are under intense pressure to stay available 24/7. In addition to latency and resource issues, network security solutions that cannot discriminate between innocent and malicious also end up compromising availability. Availability depends upon both the accurate detection of malicious traffic and the ability to take an appropriate response that doesn’t compromise availability. Unfortunately pattern match signature and anomaly architectures cannot deliver high rates of accuracy.
With the rise of mutating attacks and sophisticated evasions (including IP fragmentation, SQL injection and polymorphic attacks) deep packet pattern match accuracy is eroded even further, as new exploits can be generated at an accelerated pace without much effort. Every zero day exploit goes undetected and eventually means more signatures, more processing requirements and more potential for false alarms.
2- Comprehensive Protocol / Service / Vulnerability Intelligence
Today’s data center may use more than 130 protocols and services. Protocols not understood by network intrusion prevention systems can become vectors for attacks. Accuracy is eroded even further when intrusion prevention systems are rendered incapable of decoding certain protocols because of “slow path.
Comprehensive protocol/service fluency is therefore critical for protecting operating system, application and database server vulnerabilities. The fewer protocols understood by a network IPS, the more potential for evasion and the more resources tied up in ineffective activities.
When selecting a data center intrusion prevention system, match up the protocols and services supported by considered solutions with the protocols and services running in your data center.
3- Appropriate Exploit Response
One of the most significant requirements of data center security is the ability to provide proactive protection without disrupting services. Unfortunately, most leading network intrusion prevention systems use session reset (or blocking) as a default form of protection. Some applications will also try repeatedly to restore blocked sessions, resulting in a kind of self-generated denial of service attack.
Data center intrusion prevention systems need to be accurate and intelligent enough to understand an exploit and what it is targeting and then take an appropriate response (based on vulnerability, protocol and nature of attack) capable of protecting the server or VM without disrupting the session.
Again, appropriate response depends on accuracy and vulnerability and protocol intelligence. That is why most network intrusion prevention systems are not capable of using controlled code execution in order to take appropriate responses to exploits. Ultimately, some protective capabilities are again turned off because the cure (availability compromise) is worse than the illness (a suspicious flow).
4- Exception-based Detection and Enforcement
When solutions cannot discriminate between malicious and safe traffic they often have to tie up processor cycles equally inspecting all traffic; and having to inspect all traffic limits the amount of processing power that can be dedicated to taking appropriate actions when a real attack is detected. Many experts refer to this extra congestion and the resources tied up on a real attack as “slow path”. Data center intrusion prevention requires exception-based architectures that are able to focus processing resources on real exploits for maximum protection, not treat all traffic to a one size fits all inspection. Systems that can efficiently parse out innocent traffic and focus on exploits (because of accuracy, protocol fluency, appropriate response capabilities, for example) can perform at much higher levels, producing much less latency and use less processing resources.
More resources and more sophisticated countermeasures can be deployed when resources are not dedicated to ongoing low productivity “one size fits all” activity.
5- Virtsec Readiness
In virtualized infrastructures, as racks and stacks of blade servers host hundreds or even thousands of virtual machines, the processing requirements put additional strain on hardware requirements, especially the ability to scale as enterprises move to racks and stacks of blades hosting larger populations of VMs.
Some netsec vendors have responded to the realization of the new demands of virtualization security by announcing new virtsec products. Many of these products suffer from the challenges we’ve discussed previously, which are magnified in a virtualized infrastructure. Accuracy, incomplete application layer protocol/context/vulnerability intelligence, the inability to take appropriate response to attacks and properly dedicate resources to real attacks all mean that sensors or agents inserted into hypervisor traffic establish the equivalent of toll booths that tie up processing resources.
As one installs layers of security sensors in the hypervisor layer (firewall, antivirus, IPS, etc.) more processing resources get pulled from the blade host and elaborate hairpins channeling flows between agents and a multitude of point devices promise more latency. Without a consolidation of security functions into a single highly efficient thin layer on each hypervisor security pros are bound to be at odds with server ops teams struggling with even higher high resource consumption dedicated to security.
All of the previous 4 challenges discussed now become magnified as traditional solutions already suffering from critical challenges are now inserted in flows for partitioning VMs. Those partitions become resource-intensive toll booths that slow traffic and tie up more hardware resources, eroding the business case for virtualization (flexibility, consolidation, power savings, for example).
As we’ve discussed the five critical security requirements for the data center and the challenges facing security pros using deep packet architectures to protect critical systems (from heterogeneous server farms to Oracle databases, hypervisors and VMs), it becomes clear that network security needs a new approach. Critical detection and enforcement capabilities need to be architected at the application layer with new levels of vulnerability and protocol intelligence. Gone are the days when attacks could be detected and acted on with ease. Hackers are more sophisticated and environments more complex. With the advent of virtualization in production environments new levels of mutation and mutation are introduced inside the perimeter.
The combination of mutation and innovation inside and outside the static pattern match deep packet perimeter demands new levels of intelligence and flexibility and a new strategic area of deployment inside the perimeter, focused on the evolving demands of data center security: the data center intrusion prevention system.
As we’ve covered the critical challenges facing deep packet inspection at the perimeter a clear picture of what a data center intrusion prevention system requires emerges: 1) High levels of accuracy; 2) Comprehensive protocol and vulnerability intelligence; 3) the ability to take appropriate responses to malicious traffic without disrupting services; 4) the ability to focus processing requirements on real exploits versus a non-discriminating one size fits all posture on all traffic; and 5) the ability to be a multifunctional, thin layer software form factor on a blade hypervisor versus hair pinning traffic between sensors or agents and thick, indiscriminating, dedicated point products in hardware and software form factors.
As you move away from these critical requirements you can expect to face more tradeoffs between security, availability, latency and the proper use of resources. Throwing processing power and people indiscriminately at security results in a weaker proactive posture with a higher TCO and lower system availability. I hope this list can be a starting point for a new data center security posture that can prepare your team for the coming shift to production virtualization.
Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: www.archimedius.net . These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.