When we think about hacking, we often think about massive data breaches like the one currently unfolding at the OPM or last year’s Sony hack. But did you know that hacking has been around since the 1870s when a group of teens hacked a phone system? My favorite hack happened in 1903 when Nevil Maskelyne hacked through a demo of secure wireless telegraphy to send insults in Morse code to the audience. My kind of dude!
We are really good about securing the perimeter of the network. The problem is, the one trend that stands out in nearly all vendor security reports is that the vast majority of hacks are of the east-west variety. Why? Because IT is all about customer service. We want to trust communication inside. Many firewalls are still labeled with trusted/untrusted port bezels. How do you secure the inside while still allowing work to be done?
For me, fighting “good on paper” IT policies has been a 26-year struggle. When IT mandates a security policy that gets in the way of getting work done, folks are going to work around it. It’s a jerk move for sure, but it’s going to keep happening because in the end, we’ve got jobs to do.
Some folks call this Shadow IT. Personally, I think that’s a dumb term. Call it what the real threat is: Shadow Data. I won’t hesitate to work around IT policies (timed screensavers, forced self-help options, etc.), but I always take handling company data VERY seriously and do not mess around when it comes to this.
How can we stop east-west hacks inside of today’s data center?
Some folks say VLANs, subnets, ACLs, etc are the way to stop east-west hacks. Those are okay, but we’ve really outgrown these methods in the data center. They require too much maintenance and are too resource intensive. Plus, they scale poorly and suck worse than turkey bacon to audit.
Other solutions include some interesting traffic flow management that looks more like a Mandelbrot Fractal with all the hairpinning to various “boxes” in the data center. This looks really good on paper. Well, until you multiply it by a few 100K flows. Just imagine trying to troubleshoot it at 2 a.m., or trying to find a break in.
What about putting a bunch of virtual firewalls inside the data center and assigning servers into zones, which the firewall will service? As an engineer, before I spend a lot of R&D time and cash on developing a new ASIC, the first thing I do is look at what is working and improve on it. Like the old BASF ad, “We don’t make the tires, we make them better.”
It’s hard to argue with the logic that if we are so good at securing the perimeter, why not just do the same thing on the inside? In theory, it should work. My concern, though, is “off the drawing board.” We need to look at complexity. Imagine what it will take to roll out new servers, update policies, or audit. What about when a server moves to the cloud and then back on prem? How many IT staffers and change-control meetings do we have to have?
Keeping it simple
Personally, I like to keep it simple. Use as few pieces as possible and involve as little IT staff as possible to scale for the future. I like using iptables and Windows Filtering Platform right on the workload itself. Why not, right?
These two solutions use a whitelist model that only permits traffic that the server needs to use. It’s built into the OS itself and works great! The only problem here is obvious: Scale. Do you really wanna touch each of these workloads? Automating that piece of the puzzle would offer a data center more benefits then solving the Beale ciphers.
- No dependency on infrastructure.
- No summoning the IT spirits to commission/decomm workloads.
- Environmental separation without zones or VLANs.
Now consider how small your ACL rule list can be. Security is baked into the OS the second it spins up.
When some vendors say things like, “You’re gonna be hacked” or “The end is near! Hackers are winning,” maybe they are covering their tails or wanting to issue the quote heard around the world. To me, hacking is part of human nature. It’s always gonna happen because we exist. Humans are natural born hackers.
Game on baby! Game on!
—Jimmy Ray Purser