Bsides Charlotte Presentation Recap
Table of Contents
This presentation attempts to provide a quick and simple introduction to the next generation of technologies that will help secure the networks of tomorrow. I believe this topic is important, especially in the age of AI, because all technological stacks need to be improved with security principals in mind and not as second considerations. We are at an inflection point with the maturation of software defined networking (SDN) technology maturing and preparing for the inclusion of more automated systems and verification technologies. If you are interested in any of those briefly referenced topics, please read on.
Mitigations and Trends
Why would researchers and practitioners even want to automate security provisioning?
I am sure those staying up-to-date with vulnerability research, disclosures and advanced threats are very aware that most attackers can be attributed to slow patch cycles and misconfigurations. IT practitioners have envisioned a world of networked systems being able to defend themselves since the late 90s. If you are interested in that history, check out “Survivable Autonomic Response Architecture” and “Active Networking”. These are well-thought-out research moonshots.
From a fundamental level, there are a few core network attacks that modern networks face:
- Malware and the propagation of such malware
- Ransomware, which is essentially extortion malware
- DNS and Distributed and Denial of Service attacks
I included phishing attacks in my presentation and want to note, that is not a network attack, but an initial step attackers may take to deliver malware/ransomware before establishing access into protected networks. There is a meme for defending against described attacks found on slide 5. It explains itself, and it purely placed there for comedic purposes.
No serious mitigations include endpoint and edge security services. Think of anything ranging from antivirus installed on work or personal PC’s to network firewalls and security event and information management (SEIM) systems. Other practices include following best practices as described by the NSA, “NSA Details Network Infrastructure Best Practices”, and user education.
Trends in Security Software
Now, expanding past the common approaches to attack mitigations is motivated by the data that shows that typically, people are not following best practices and zero-day attacks are steadily increasing. When searching trends, the core hypothesis is “How can we leverage current cutting edge technology to slow attackers?”. From a high-level, I am just going to name the trends, perspective, the follow of trending technology/buzz words in security tooling and research.
- Artificial Intelligence/Machine Learning and its application
- Automation. Think SecOps
- Zero Trust Architectures
- Diversity of Firewall Solutions
- Move everything to the cloud
Now when it comes to security solutions, one general shortcoming comes from users. “The security function slowed down my system/network, so I disabled it”
How can we balance the trade-offs of network security solutions and the usability of networks?
A newer trend that is attempting to address this problem is the research into in-network security solutions. In-network security solutions feature the embedded of security functionality into the data plane of network switches to provide extremely fast security enforcement and parsing. In-network security solutions leverage the ideas from software defined network, which decouples the control and data plane to simplify network management and increase the ability to program network functionality.
To understand how to effectively implement an in-network security solution, you must first consider the protocols processed on network switches and the opportunities to parse/process packet information. In the following case study, the DNS protocol is examined as it is a clear text protocol, in most cases.
The case study comes from recent work published in USENIX Security’32, “The Maginot Line” and mitigations “P4DDPI”. The first describes a novel DNS cache poising attack that poisons the DNS cache of delegation servers, which leads to the hijacking of DNS zones. The second distributes an approach towards defending against similar attacks using an in-network security approach. The findings in the second paper shows that deploying network security functionality exhibits no packet-loss and packet delay. This earlier work does have some shortcomings, described in its conclusion, but the earlier results are promising.
In reflection, there are legitimate research and product solutions that are trending towards creating the foundations for more automated security enforcement. One such are of research is in-network security solutions. There are additional details for considering leveraging automation in in-network security solutions. The most important is verifiably. An introduction to the vision of verifiable networks can be found here
Work in Progress
- 11/17/2023: Added References, additional case study content and improved document language