Software-defined perimeter (the most advanced zero trust implementation) shows promise.
Kubertnetes, Red Hat OpenShift, are you listening?
DevOps teams continue to increase use of virtualization – be it virtualizing[1] operating systems or containerizing[2] applications — to gain the flexibility, scalability and redundancy provided by virtualized environments. Applications running in a container are isolated within a single copy of the operating system running on a physical server. Containerizing stands in contrast to hypervisor-based virtualization in which each application is bound to a complete copy of a guest operating system and communicates with the hardware through the intervening hypervisor.
Virtualization and containerizing applications provides patch management and baseline configuration management to secure the infrastructure. Because of the sprawl of virtual servers and containers, dynamic suspension and movement of virtual servers and containers, these security functions need to be carefully orchestrated.
Recently, we are seeing virtualization and containerizing applications layer associated with DevOps environments becoming a new attack surface – one that attackers are starting to target. The control plane is often the weak link. An attacker that compromises a web-based management interface can compromise all virtualized hosts and containers on that server.
Adding to this, managing storage for container data is a complex business. It’s important to remember that container data is enterprise data and should be treated as such. DevOps platforms such as Kubernetes and Red Hat Open Shift require a storage strategy that relies on shared storage and integration with advanced data services.
At the core of the network functions provided by either virtualization or containerizing is Software Defined Networking (SDN). Because of the reliance on SDN, these systems can be particularly vulnerable to Distributed Denial of Service (DDoS) attacks that disrupt service by consuming resources. A DDoS attack that ramps up CPU or memory consumption on a virtual machine can actually steal resources from other VMs on the same physical infrastructure, having a broader effect than just the targeted system.
As organizations assess and adopt virtualization, containerizing and therefore SDNs, there are still questions around proper authentication, access control, data privacy, and data integrity. A university team recently analyzed the performance of SDP in conjunction with the SDN architecture. Based upon experimentation with Waverley Lab’s Open Source Software-Defined Perimeter (SDP), , the team found ways where SDP can act an extra measure of security in the authentication process during a DDoS attack.
The team led by professors, Ahmed Refaey of Manhattan College and Abdallah Shami of Western University, detailed findings and conclusions in a new paper titled, “On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter.”
Figures 8 and 9 from the paper (and shown below), detail SDP’s ability to mitigate the flood of DDoS attacks at both the client and server. It is noted that with SDP enabled within the SDN architecture, 75% of network throughput is without interruption or loss of connection. An additional bonus that SDP provides is that the servers within the infrastructure are totally hidden from all but authorized users/devices.
Data centers, particularly multi-tenant data centers with hundreds of enterprise and government customers, must protect against DDoS attacks. Data centers are also increasingly enabling advanced DevOps teams as they seek to automate and optimize service delivery through advanced software-defined platforms.
As DevOps teams move towards cloud environments (such as AWS or IBM) and/or on premise containerizing (using Docker, Kubernetes and RedHat OpenShift) to enable continuous integration/continuous delivery methodologies, they must discuss issues related to bolstering the strength of the underlying SDN architecture. The results clearly show SDP is effective in slowing down DDoS attacks on critical network functions. To read the detailed findings in the paper, click here to download it.
###
[1]Virtualization is the process of running a virtual instance of a computer system in a layer abstracted from the actual hardware. Most commonly, it refers to running multiple operating systems on a computer system simultaneously. (https://opensource.com/resources/virtualization)
[2]Containerizing provides an environment in which the “computer” is increasingly a complex of connected systems rather than a discrete server. Applications running in a container are isolated within a single copy of the operating system running on a physical server.
