Policy-Based Network Controls: Five Priorities for Securing Virtualized Telco Environments

October 17th, 2014 by · Leave a Comment

This Industry Viewpoint was authored by Edmundo Costa, CEO of Catbird

In our Big Data, mobile-optimized world, telecommunications companies with sprawling networks deal with huge data center challenges. Telco networks typically have a foundation of complex legacy architecture that interferes with their ability to quickly deploy services – in an era where speed rules the day. These networks have to support not only traditional telecommunications traffic, but also multimedia and other forms of data communication. Critical to these businesses are data protection, infrastructure agility and rapid service deployment.

At the same time, virtual networks now comprise the majority of all networking in data centers, and new software-defined networks (SDN) are challenging perimeter-based security methods. These methods were designed to control north-south traffic, but they cannot address the majority of network traffic that now flows east-west on virtual networks. Mobile devices regularly bypass the perimeter, which leaves the door open for security breaches.  In addition to rethinking security, highly automated cloud systems have given us the opportunity to rethink how we can use the power of the cloud to maximize efficiencies within IT and protect our most sensitive data while also supporting business initiatives. In fact, a leading telco regards the following approach as the most innovative solution in the cloud security ecosystem.

Security for Private and Hybrid Clouds: Five Priorities

IT administrators need to identify and protect existing and new cloud assets in an automated way if they hope to address the security and compliance challenges of the private and hybrid cloud. Consider these five priorities when implementing security in virtualized environments, such as telecommunications data centers:

1. Discovery and Inventory Control

The SANS Top 20 Critical Controls places discovery and inventory control at the top of its list.  Network security policy decisions that are executed in the virtual infrastructure are highly dependent on its context. That is, the hypervisor, virtual switch, VLAN, virtual network configurations and VMs are all critical data points to consider in the effort to protect the private or hybrid cloud.

In virtual infrastructure, admins can create perfect inventory control because the hypervisor and SDN controller have complete visibility into the precise number of hypervisors, VMs and virtual switches can be easily enumerated.  Similarly, the hypervisor knows how they are interconnected. Once this is known, specific policies can be applied to those objects through orchestrated network controls.

To gain different vantage points from which to correlate observations, such as notification about assets as they announce themselves or what the hypervisor is reporting,

consider security solutions that are placed in the logical switching fabric and on the hypervisor. Additionally, solutions that run alongside workloads on the virtual switch can enable the ability to inspect all traffic, identify threats and enforce policies.

Cloud security solutions should provide a dashboard or some form of console for managing the application environment, just as many network applications have today. When identifying a solution, look for those that include a web management console and central processing hub for all security and compliance operations to provide a holistic view of the virtual network.

Begin with virtual asset discovery to establish a perfect inventory of all of the VMs and their network configurations across the entire cloud infrastructure, to protect against the mishaps that can occur from VMs being moved, cloned or misconfigured. Then isolate sensitive data using zone-based security.

Vulnerability management with configuration checks based on Security Content Automation Protocol (SCAP) is one of the network controls in the SANS Top 20 Critical Controls framework. Identify solutions that can secure the private or hybrid cloud with increased visibility and situational awareness with all network controls.

When telcos have a thorough context of network activity, they can improve the network security posture within private or hybrid clouds, accelerate incident response and reduce forensic analysis and audit and compliance burdens.

2. Logical Zoning Capabilities

The cloud data center stack is aware, agile and automated, and security policy must be as well. As assets and objects are created, such as VMs, the security protections are dynamically applied.  Typically, security policy containers, or zone-based security, is predicated on common trust-class and independent of IP address or network topology.  Any change to the VM population or the configuration of the VM is automatically detected and all security controls are dynamically updated. Let’s call these policy containers “trust zones” for short.

A trust zone example comes from the firewall. As VMs are added or removed, or their network configurations changed, firewall rules must be created and updated based on the policy defined on the trust zone to which the VM is associated. With policy orchestration, firewall rules can be automatically updated with any changes to trust zone membership or VM network configurations. All other network controls such as IDS/IPS, vulnerability management and NAC would also require appropriate updates. Those too can be automated via a security orchestration solution.

Analysis and correlation are made possible by zoning. For instance, an enterprise-wide view of all network flows across these trust zones, when drawn in real time, allows administrators to quickly see the virtual network from a security policy perspective. Views of specific firewall rules affecting network traffic, flows and connections can reveal data patterns and a well-rounded picture of network traffic between and within trust zones in the private or hybrid cloud.

What’s great about trust zone-based security policy is that network security is applied at run-time, allowing assets with different levels of security policies to reside within the same cloud infrastructure. Trust zones can also be used to validate and extend current VLAN isolation by verifying the isolation and ensuring that changes to the network configuration do not bypass the VLAN isolation. Incorporating new virtual controls operating inside the virtual switch fabric, while validating security posture, will expedite the audit process.

3. Verification Via Continuous Monitoring

Particularly where detection of accidental or malicious misconfiguration is concerned, IT administrators need to verify everything. Business groups demand quick deployment of applications, while IT demands efficiency. Virtual, private and hybrid clouds data centers are highly agile, with frequency of change measured in minutes, not days or weeks.  Validate policies by continuously monitoring the network, including VM configurations and security controls against policy at both the trust zone and individual VM level.

Through continuous monitoring, ROI can be realized quickly by reducing preparation for assessments, ensuring evidence of control, controlling audit scope creep and eliminating costly audit disruptions. Events should be monitored, correlated, logged and made available for real-time visualization and historical reporting and mapped to industry standards such as PCI DSS, HIPAA and FISMA.

Trust in network protections will be bolstered if these efforts are made, by verifying and validating network controls against hardening requirements and best practices.  Automating event-capture and mapping to standards through real-time visualization and audit reporting will unburden scarce IT personnel from manual audit processes.

4. Enforce Threat Mitigation Automatically

Automated risk management becomes necessary when policy violations are detected in the verification process. Virtual and cloud infrastructure increases consolidation on shared infrastructure and risk is compounded by high rates of change.  A careful criticality assessment by application groups should be made. When a serious policy violation is detected on high-criticality systems, an optional machine-speed mitigation action to contain any potential damage from misconfiguration or malicious activity should be considered.

The asset level is where solutions should enable policy that is both verified and enforced in a private or hybrid cloud or virtual data center. This dramatically reduces risk through timely incident response times and reduces audit costs. Mitigate attacks by reducing the threat footprint and applying targeted security policies to block known exploits, viruses, spyware, botnets and APTs as well as accidental or malicious misconfigurations and insider threats.

The system should be configured in such a way that automated alerts will go out when events violate trust zone policies. Alerts should also trigger optional automated mitigation to enforce policy and maintain compliance.

The most common mechanism for isolating converged infrastructure is through logical isolation with VLANs, so use existing Virtual Local Area Network (VLAN) isolation across the data center. Given the risks associated with a breakdown in VLAN isolation due to accidental or malicious misconfigurations, best practices and security standards are calling attention to the need to verify, validate and mitigate.

5. Adapt to Reap the Benefits

The run-time security approach causes business disruption. Like virtualization, run-time security transforms data center security and brings overlaps between the three administrative domains of security, networking and virtual infrastructure operations (IT OPS), so careful planning is essential. Skills converge in the software-defined data center as security operates within the fabric, requiring cooperation and convergence of traditional siloes and more involvement from application owners. This is the true cost (and benefit) of the transition to a new approach in which security is delivered where and how you need it, aligning protections with business requirements and improving overall risk management.  This new approach requires a telecom organization that can adapt to these changes. If it does, it can expect these benefits:

  • Reduced risk and compliance costs via continuously monitored and enforced policies.
  • Automated and dynamic security that is based on policies to meet business requirements.
  • Total visibility of the private or hybrid cloud network and regained situational awareness, based on virtualized security that can leverage the power of virtual infrastructure to lower costs.

Giving administrators what they need to implement security in virtualized environments

with real-time verification and machine-speed enforcement enables quicker private and hybrid cloud infrastructure adoption. That’s because it overcomes concerns about security that can stall the migration of business-critical data to the cloud. Being aware of the disruption that run-time security brings will help in the transition and ultimately enable telcos to enjoy significant benefits. For a thorough discussion of private and hybrid cloud security, download the complete whitepaper here.

Author’s bio:

Edmundo Costa joined Catbird in 2007 and is a software industry veteran. He brings over 20 years of executive experience growing companies from their early stages through to IPO. As the CEO, he leads Catbird’s pioneering efforts to deliver a new approach in the enterprise security market, ensuring that virtual and cloud infrastructures are secure and compliant. Prior to Catbird, Edmundo was a founding member of Tarantella, Inc. and held executive positions at The Santa Cruz Operation (SCO). He also worked at Accenture. He received his MBA from Harvard Business School and is a graduate of Cornell University with dual degrees in Operations Research & Information Engineering and Economics. www.catbird.com


If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Cloud Computing · Security · Software

Discuss this Post

Leave a Comment

You may Log In to post a comment, or fill in the form to post anonymously.

  • Ramblings’ Jobs

    Post a Job - Just $99/30days
  • Event Calendar