Mitigating Network Security Vulnerabilities with Cloud-Native Approaches

In the fast-paced and highly competitive application driven economy, business has a direct dependence on the security and availability of the cloud infrastructure it runs on. Whether it's running in a private cloud, hybrid, multicloud, or even as a new distributed workload at the Intelligent Edge, the same business questions prevail:

As security attacks are growing more complex and spanning across multiple technologies, attackers are inherently becoming cleverer, more tech-savvy, and increasingly state-sponsored. Business critical applications and infrastructure are continuously being probed for vulnerabilities by both the good guys and the bad ones. As it relates to network operators, we are constantly told to keep our pulse on the latest security vulnerabilities in order to fix them quickly. However, we know the all true reality that fixing security vulnerabilities quickly and across a fleet of network devices is rarely possible. Which is why the fact that some of the 31 security vulnerabilities Cisco announced in April, which were quickly exploited in the wild, is that much more frightening.

Unfortunately, these latest vulnerability disclosures prove that the answer to those three critical questions is a resounding “No!”  Given Cisco’s dominance in networking and the fact that every other network operating system (NOS) from every vendor out there has the same fundamental architectural problem, this should be the subject of a national debate on how we are still living in a world with the networking industry that gets by on the hope that nobody notices or tries to exploit vulnerabilities.

Today’s failing network

For a very long time, devices stemming from network vendors have been given a hall pass when it comes to meeting internal security policies. The reality is that updating NOS code is hard, takes time, and is disruptive to business services.  These closed, tightly integrated pieces of equipment were synonymous with “hardened” – but this is far from the case.

When security vulnerabilities are found, the fixes require a new monolithic image to be delivered from vendors. At best, this takes months to test, verify, and roll-out these fixes. At worst, this never happens at all. In the meantime, it leaves a gaping security hole in the infrastructure. All application data moves across the network infrastructure. If this infrastructure is compromised, an attacker has the ability, redirect, block, or capture this information.

In the recent exploit dubbed “Sea Turtle," DNS was hijacked and used by attackers to create man-in-the-middle attacks to critical infrastructure components. They leveraged the exploits in Cisco's IOS and IOS-XE to gain unauthenticated access and were able to reload the affected devices and remotely execute code with elevated privileges. The fix for these issues? A new monolithic image, which again needs months (or longer) to be tested, verified and manually rolled out, both with the fix AND other changes that could impact how the device functions in the environment. This is simply not good enough for business applications that run in a highly dynamic and face paced environment

The need for cloud-native networking

The monolithic approach to networking is flawed, and a new architecture is needed. The ability to update and resolve security vulnerabilities is a modern fact of running infrastructure. This is something that is not possible with legacy networks. We have viewed this infrastructure as static, siloed, and brittle. This starts with a failure in how NOS have been architected. The only way that we are going to solve the operational issues that are faced by today's operators is with an entirely new approach that is built on the principles of microservices and containerization, leveraging the latest advancements in DevOps trends and cloud-native tools. With a cloud-native approach, you can upgrade or immutably replace network applications with no or minimal impact in seconds compared to months. All this allows DevOps teams and NetOps teams to collaborate, enabling companies to embrace the mindset of speed and constant change.

By employing cloud-native methods and tools, you create an open ecosystem that empowers operators to utilize the same toolsets, practices, and language across the infrastructure spectrum. The network now becomes an extension to the application deployment cycle rather than separate step outside of it. By utilizing the same familiar Cloud Native framework that has been adopted by DevOps teams, the network can now be pulled into the CI/CD (continuous integration, continuous delivery) pipeline for greater automation, control, and reliability. This enables delivery of application time to service more quickly and improve operational efficiencies by automating repeatable processes.

A cloud-native approach to networking encourages a culture of "Yes" when it comes to needed change because its containerized microservices architecture create a more resilient and flexible network. Network operators can limit features to just those they need and are able to replace the single micro-service that is affected.  Since DevOps and NetOps now speak the same language, this is accomplished in a coordinated and distributed fashion that results in a lower risk of service impact. Fewer features translate into a simpler environment that is easier to troubleshoot and with fewer things to go wrong. Running only the features you need results in fewer security vulnerabilities and having network features deployed as containerized microservices shortens the test cycle. All of this translates into a more resilient network. A network that reduces the risk and increases predictability encourages NetOps engineers to have optimistic reactions when making changes in a production network.

Networking is living in the dark ages when compared to how applications are managed and deployed.  We need to break up the network monolith and treat the network like the distributed application it has always been.  Network operators can't continue to rely on NOS architectures that were designed 30 years ago when applications where centrally located and did not move.  As can be seen by the Cisco security vulnerabilities that continue to highlight the trojan horse the network has become to infrastructure and applications running across it - it's time for a change.