You just bought shiny new routers from a top vendor. While they may have cost you an arm and a leg, at least you’ll be able to sleep well at night knowing those routers are going to do their job. You make sure you follow prescribed best practices, and you follow the security guidelines just as Captain Jack Sparrow recommends in Pirates of the Caribbean: “if the worst should happen…stick to the Code”.
Soon after, you start receiving Security Advisories and Security Notices regularly. The vendor tells you that it is your responsibility to review the vulnerabilities, figure out which devices are affected, identify workarounds, introduce mitigations, test upgrades, apply patches, and get ready to deal with the same notification/remediation process again tomorrow [see example]. This requires the attention of an entire team of security personnel each time. What’s more, many of the vulnerabilities don’t have immediate fixes, so you’re left exposed with nothing to do other than hope for the best. When a patch is available you are told that it is up to you to decide what to do and when to do it. There is no real guidance and there is no consideration for your downtime for upgrades. You realize that your security “Code” is really a set of guidelines, a la Captain Barbossa (Jack Sparrow’s nemesis) interpretation: “the code is more what you’d call ‘guidelines’ than actual rules”.
In the meantime, routers are being compromised, router vulnerabilities remain unpatched, new vulnerabilities are being discovered, and you are on the Black Pearl. To make matters worse, many threats and breaches can come from within your organization [Forrester] so someone onboard could be taking down the ship.
The question now becomes how do you switch from a seat-of-the-pants, pirate ship experience to the luxury all-inclusive cruise where you can be in vacation mode and avoid having your throat slit?
We have a few suggestions that might get you through the journey:
- Service-Oriented Networking: Services are why you made the network in the first place. Services should be how you configure the network. Just as Captain Jack Sparrow said “Wherever we want to go, we go…that’s what a ship is, you know”. The ship should not be sailing anywhere else and definitely never under anyone else’s command. No packet other than the ones related to the services you have configured should traverse any part of your network.
- Zero Trust Security: Nowadays it’s treacherous to believe in perimeter security models when many threats originate from inside the hold. We need to recognize the need for security everywhere. Instead of having complex ACLs and firewall restrictions we need to remove the path that allows any malicious agent to get to you. Only you should be able to reach out to someone when you need a service. This was explained in our earlier blog.
- Semantic Networking: You do not want to spend hours defining security policies and when some sailors decide to jump ship you have to rethink all those policies. Being able to define services and access policies in terms of business needs rather than as IP prefix based ACLs is an absolute must-have.
By taking these measures, you can sail smoothly away from the painstaking and flawed security model we have today. Stick to your New Year’s resolution of building a new kind of network. “Now…bring me that horizon” – Captain Jack Sparrow.