Blog: Deny by Default

By Prashant Kumar |

Today’s networks are built with traditional routers, which use foundational technology that has changed very little since the inception of the routed IP network in the 1990s. At their most basic, routers were invented with the intent of moving packets from one computer to another by establishing a “hop-by-hop” path through the networking equipment between them – with each “hop” being a router. When an IP packet arrives at a router, the router looks at a forwarding table to find the best route to reach the destination, and then forwards the packet to the next hop in the path. This process occurs at each hop until the packet reaches the destination.

With this in mind, networks were originally designed to facilitate an “any-to-any” model, meaning that any computer on the network should be able to communicate with any other computer on the network. As you might guess, an “any-to-any” model invites mischief, so network security controls were developed to prevent unauthorized access to certain parts of a network. Some of these took place at the network edge in the form of stateful middleboxes. In routers, security took the form of Access Control Lists (ACLs) – filters that could permit or deny a packet from reaching its intended destination. If a packet is blocked by a defined ACL, it’s simply dropped from the router and not forwarded to the next hop.

Because routers need to forward packets as fast as possible, ACL techniques were intended to be “lightweight” security measures that wouldn’t significantly impact router performance.  Because of this need for speed, traditional routers were designed and configured with the basic principle of “allow-by-default.” This means that unless an ACL is specifically defined to block a certain packet, the traditional router will just forward the packet on (without any further security checks) towards the next hop.

Deny-by-default 1.svg

This creates a couple of problems – first, defining a multitude of ACLs to meet lots of growing business and security requirements can become a complex, error-prone problem known as “ACL Hell.” Second, even with the most sophisticated ACL deployment, the “allow-by-default” approach of traditional routers is prone to network attacks and not suitable for building a secure and reliable network using a Zero Trust Security (ZTS) approach.

The 128 Technology Networking Platform (128T) is a session-based router that follows the principle of “deny-by-default.” This means that unless a session has been specifically enabled to traverse the network, 128T will drop all of the packets belonging to the session. In fact, every session must go through multiple inspections at every hop in the network to ensure that session-specific policies are being applied before the session is allowed to be forwarded.

Each session begins upon the arrival of the first packet from a client, and destined to a server. We call this a session request. Here’s how it works:

  • The first thing 128T does is check whether the client initiating the session request belongs to a tenant. A tenant is a type of sub-network that has its own set of members with associated network policies, access controls, and allowed network paths. If the client does not belong to a configured tenant, it is associated with a “global” (default) tenant.
  • Next, 128T checks whether the session request is destined to a service defined within the tenant. Services represent applications reachable by an IP address (such as a web server, database server, etc.). If the destination does not correspond to any service allowed access to the tenant, the session request will fail.
  • If the destination of the session request matches a configured service, 128T will further look at a context-specific ACL defined within the service. This ACL will determine if the source of the session request is allowed access to the service. If the source is denied access to the service, the session request will fail.
  • If the session request passes all checks, it will be forwarded to the next hop towards the destination.

 

Deny-by-default 2.svg

Deny-by-default 3.svg

Thanks to the 128T’s session-oriented architecture and the power of modern-day, off-the-shelf hardware, these checks can happen on every packet at line rate – so there’s no loss in performance that the routers of yore are susceptible to.

This tight control of the packet flow within the network is very powerful. We think it can limit – and in some cases – completely eliminate network attacks. Also, through the advanced service-oriented management capabilities of 128T, configuring and building a secure “deny-by-default” ZTS enabled network is simple and seamless.

 

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search