- Financial institutions and digital security providers are increasingly taking a military approach to defending against cyber attacks through layered defenses. This involves implementing multiple defensive layers throughout the network like firewalls, routers, intrusion detection, and antivirus software.
- In virtualized and cloud environments, security managers can filter and police traffic at each virtual server to separate and isolate traffic by customer and type. This prevents attacks from impacting host systems and improves efficiency.
- The use of threat intelligence databases that identify dangers on the internet in real-time combined with defensive filtering and blocking at the server level provides an additional layer of security against cyber attacks.
2. Autumn 2014 19
The internet may have given us 24/7
connectivity, but it has thrown up a slew of
security issues, resulting in the need for
more advanced offsetting technology, and
financial institutions are at the vanguard of
efforts to protect themselves.
Security breaches have far-reaching consequences
throughout financial services because of the nature of
the information they hold – be it consumers’ private
information or details of corporate assets.
Security providers face a tough challenge as they
must deliver relatively easy access to services while
simultaneously serving the needs of internal
stakeholders when implementing security. Securing
these services is a difficult proposition and tradeoffs
are often made, leaving the networks exposed and
vulnerable to attack.
The network server is the number one target of all
cyber attacks because it is where all crucial client and
institutional data are stored. In multi-tenant cloud
environments, financial institutions are also looking
to protect the network server by providing the ability
Digital security providers are taking on a
military approach in defending network security
as more companies suffer from cyber attacks,
writes Bruce Tolley of Solarflare Communications
Strategic
defences
3. VIRTUALISATION
20 Autumn 2014
to isolate customer traffic and
services, and mitigating
against internal attacks and threats,
misconfigured equipment and misbehaving
applications.
A common saying in security is that the bad guy
only has to be lucky once, while those protecting
corporate and customer assets have to be lucky
every time.
As a result, we are seeing a big push towards
encryption from end to end. Some companies are
starting to require every hard drive is encrypted,
making it almost impossible for potential cyber
bandits to access key data.
There is also growing demand for identity
management. IT today is about providing the right
(billable) applications and services to the right people at
the right time and at the right level of service. Cloud
service providers also want to ensure they know the
customer on the other end and that all entities that are
on the network, whether they be virtual, bare metal, or
in the cloud, are authenticated to be legitimate if not
assigned specific policies and access rights.
Military strategies
Digital security practitioners often borrow from
military strategies that have proven effective in
defending valuable assets in the past. One common
strategy is called ‘defence in depth’, or layered
defences. Similar to how castles were built with
cleared land, moats and strong high walls, digital
security practitioners build networks that consist of
firewalls at the outermost perimeter, routers with
access lists, intrusion detection and host antivirus
as you move further into the network. This
approach assumes that the network will be
breached, but the layers of defence will cause the
attack to slow down, lose momentum and increase
the chance that the attack becomes visible and
stopped.
These are huge advances in technology as,
traditionally, host systems have been left out of the
VM
Tenant A
Hypervisor
traffic (storage/
management)
Adaptor Hypervisor
Filter
PF
VM
Tenant B
Filter
PF
VM
Tenant B
Filter
PF
PF PF PF
VNIC VNIC PF
10G Port
VNIC VNIC VNIC
NIC SWITCH NIC SWITCH NIC SWITCH
Policing and filtering for
virtualised servers and
clouds
Each tenant can be assigned
a virtual machine or virtual
server (VM)
Policing and filtering can be
executed at each virtual
server
Protects servers from attacks
that get past perimeter
defences
Separates and isolates by
customers and by traffic type
Mitigates against adverse
performance impacts from
badly behaving applications
or misconfigured machines
Source: SolarFlare
Bruce Tolley, vice
president Solarflare
Communications.
4. VIRTUALISATION
21
Autumn 2014
network ‘defence in depth’ paradigm due to the computational cost, technology tradeoffs required to deploy robust security and the monitoring of solutions on production systems at the edge of the network. Host systems can now perform high speed packet capture, filtering, bridging and denial of service defences, due to recent progress in computing power and software.
The industry is now organising around various infrastructure as a service (IaaS) cloud architectures such as Red Hat OpenStack and Apache CloudStack. The big server manufacturers are also promoting OpenStack, delivering to IT architects a way to build, manage and provision private and multi-tenant clouds from the network.
Virtualisation
Security professionals need to leverage these host system capabilities in a virtualised environment. Virtualisation enables IT managers to consolidate workloads on fewer physical servers increasing the utilisation of each server and creating a more flexible, efficient and dynamic data centre environment. As a result, virtualisation can lead to lower capital and ongoing operating costs.
However, cloud networking and server virtualisation today require more than just the ability to support server consolidation. To meet customer requirements, cloud and virtualisation solutions must scale in performance, protect data integrity and support service level agreements, all while supporting the broad set of virtualisation and cloud features available from the virtual operating system providers and IaaS architectures.
In many virtualised and cloud environments, data centre managers need to separate and isolate traffic at each virtualised server, and need more flexibility than that allowed by the dedicated firewalls at the periphery of the network, the access control lists available on the network switches, or other expensive switches, routers and dedicated security appliances. For example, Layer 2 through 7 filtering and policing can be deployed at each virtual server in private or multi-tenant cloud to separate and isolate traffic by service type and customer type. Such filtering and policing enables customers to implement security functions natively in the virtual server and enables security decisions to be made lower in the stack, improving efficiency. Using a virtualised environment, security managers are able to filter, log, alert on, or rate limit suspicious traffic at a per server level, which prevents attacks from impacting the host operating systems or host application performance.
Threat intelligence
The trend in technology innovation and IT investments is also evolving. Now the emphasis is not just on slowing down cyber attackers who have breached any one private corporate network, but building sensors into the internet itself. These sensors, along with sophisticated data mining tools, enable bad behaviour to be identified before an attack.
Such a defence, based on data mining and analytics (as opposed to pattern recognition), to identify dangers on the internet is called live threat intelligence. This intelligence is used to build a feedback loop with corporate security defence mechanisms, so that IT systems can identify and stop cyber attacks. By combining live threat detection and other security policies with filtering and blocking on the server itself, an additional layer of security is inserted. Building another layer of defence at the server, combined with realtime updates with live threat intelligence databases, form an effective strategy to block the bad guys from accessing and stealing valuable data and improve IT security.