One of the most familiar tenets of cyber security is that retrofitting security into a design is rarely a good idea. And this is certainly true for enterprise networks. The idea that an IT team might design and deploy a network and then design and deploy a security system has come under great criticism of late – and rightly so. The preferable approach involves native integration of cyber security into the network design from the beginning. One of the components of such an approach involves native security protections being integrated into the network elements on which enterprise local and wide area infrastructure is built. I had the opportunity to sit down with my friend Sherry Ryan, CISO of Juniper Networks, to get her take on this topic and related issues in cyber security.
EA: Sherry, is the network the most important component in any enterprise security architecture?
SR: The network is obviously the pathway to everything else that comprises an enterprise information system. It is such a critical area for emphasis relative to security architecture. But I’ll admit that we could debate whether the network is the most important component, given the importance of other layers such as infrastructure, application, or data. We all know that effective security is about context between components of an overall architecture. So the network is important, for certain, but the extent to which network security is applied is wholly dependent on a multitude of factors for a respective enterprise, including but not limited to security requirements, risks, data and how applications and information are used and consumed.
EA: What are the security risks of older, legacy networking products in an enterprise environment?
SR: There are unfortunately many unpatched, poorly maintained, and end of life/end of service (EOL/EOS) devices that organizations are unwilling to replace, often from fear that they will disrupt or impact services and productivity. Many legacy network products therefore do not provide a cohesive mechanism to apply and manage a contextual policy across disparate network components. Instead, they have to be managed individually, and one bad firewall rule, misconfiguration or exploited vulnerability can lead to a broad and cascading compromise. Many legacy networking products do not emphasize mitigating risks to the device or to the capabilities it provides. They are appropriately oriented instead toward performance and availability, but are missing the mark on protections of the network component itself. As an example, legacy routers have integrated data, control and management planes embedded in the firmware. There is no means to separate them and apply more separation and granular control.
EA: When an enterprise IT team buys a router for use in the enterprise network, is it ever sufficient to just use the native filtering and logging capability of that router for security? Or is it almost always a necessity to build a perimeter network around that router?
SR: It really depends on the enterprise, the risks, threats, regulatory compliance concerns, and objectives. For many organizations that are focused on protecting intellectual property, healthcare or other information that falls under regulatory scrutiny or provide critical services, such as an ISP, ensuring that network devices such as routers, switches, VPN gateways, and firewalls are sufficiently protected is an imperative. Generally speaking, core networking components should be protected and decouple the data, control and management planes via Software-defined networking (SDN), which facilitates much greater granularity of control, and as a result, security, and adaptability.
EA: What is the current trend in threat intelligence management and information sharing for network elements such as routers?
SR: Threat intelligence and information sharing are still, to a great extent siloed. That is, there are many threat information sources and efforts to do better in terms of sharing information, such as TAXII and CybOX frameworks for sharing information between different organizations. But in some ways this information is not necessarily making its way to network elements in a timely manner and often are applied through endpoint or other security specific capabilities like Web URL content filters at the network edge. One issue is the lack of a common security messaging bus between network components. Actually, they do exist, but they are proprietary or have not been widely accepted or adopted across network vendors for interoperability. In time, the goal would be to inject IP threat and reputational information more directly into network elements, which in turn are able to share this information across a common and protected management plane.
EA: Do you see network function virtualization as a security challenge or opportunity for enterprise customers?
SR: I see both. It is a security challenge certainly, as it fundamentally changes the way we must think about, plan and deploy network and security architectures, with less focus on physical aspects of applying security and more focus on logical and abstract context across layers. But it is also a big opportunity to rethink the way we have traditionally approached network security, and recognize the potential to more wholly integrate security within the network where the control, visibility and dynamic adaptability are intrinsic to the network itself.
EA: How quickly do you see software defined networking being adopted in data centers and ISPs? Do you see the associated security for SDN as a native capability or will data center and network managers have to overlay an SDN security architecture?
SR: I believe we are on the cusp of a major approach revamp in terms of how we design, deploy, provision, manage, and secure our networks. Virtualization and cloud-based services have profoundly disrupted and directly influenced the need for significant changes to how we approach networking and security. The days of a working perimeter are long gone. Enterprises must reorient themselves to this reality, which means that SDN will very likely have to be adopted sooner rather than later or enterprises will continue to struggle with trying to leverage legacy physically constrained architectures that cannot practically support the logical convergence and challenges this poses relative to security, management and control of our data, access, and policies. My hope is that SDN will wholly include security so it can be applied contextually and intrinsically across all network elements. Security is already complex enough without adding another overlay that may not provide the cohesiveness and operational efficiencies needed to adapt to this convergence while ensuring security protections are part and parcel to the network itself.