Thursday, April 24, 2014

Towards a More Secure Network Interface (SNI)

Many of the objects in our lives are Internet connected. Everything from watches to home thermostats, refrigerators & even septic systems are now wired to the Internet. All of these devices have a certain expectation of trust when they connect to the Internet. Unfortunately there in lies the fundamental flaw. This "trust everything model" is inherent in nearly all network connected  hardware individuals & corporations deploy, with the specific exception of course of security appliances.

Why do our networks work this way? Because it's easier for hardware engineers to assume trust then require authentication. Take for example your car, it has hundreds of systems & sensors that are all interconnected. There is an assumed level of trust by every device that makes up your vehicle, because the automaker believed they controlled everything. Now suppose you're driving along at say 60MPH, and I were to reach in through your Onstar link & activate the ABS system on the right side of the vehicle. How's that trust working for you now? Don't laugh, I'm serious.  Automobile manufacturers are all facing this issue today thanks to several well publicized hacks last sumer.

Can you board a major airline in the US by simply walking into the airport, traversing the terminal, then boarding the plane? No. At a minimum you have to go through a Transportation Safety Administration (TSA) checkpoint. Then a second, very simplistic, validation of your ticket at the gate. The TSA in essence is a packet filter, where you are the packet. They look at you, your ID, run you through a millimeter scanner & your stuff through an X-ray, and if all this passes muster you're permitted to proceed.

Suppose there was a very bright tiny TSA agent that lived just inside your computer who supervised your connection to the Internet checking every bit of data coming into your computer. This tiny TSA agent seeing everything applies some basic sanity checks to your inbound data, let's call this capability a Secure Network Interface (SNI). Here are some examples of the types of tests that this SNI might execute before allowing information to be handed off to your applications or operating system:

  • Is the data coming from somewhere or someone I trust?
  • Is it coming in specifically to application I know & trust?
  • Is this a request that I find acceptable?
  • Is there anything in the request I might find objectionable?

Today corporate networks rely on firewalls, and other advanced filtering & security hardware to setup a demilitarized zone (DMZ) for all their Internet servers.  They then setup a second set of hardware firewalls with more restrictive rules to further protect internal systems & servers. Finally, we have the laptops, desktops & production servers, many of these also run software firewalls that do some basic network traffic filtering, think of them as each having that gate agent checking your data just before you need it.  This software firewall approach is flawed by design because the offending network traffic has already entered your system and has had access to your device drivers and low level OS stack functions. Image if the TSA only existed at the gate to your plane.  Think of all the other doors & passages that would remain unprotected.

Imagine if every server had a SNI, actual hardware at the edge of your server or high end workstation. Your network administrators could then explicitly & logically connect systems to each other & the appropriate users to one another through each of these SNI protected systems. The default would be that all outsiders would be ignored, if your network perimeter were then breached, like Target's was last fall, it wouldn't make any difference. No logical connections would exist between say the unsecured HVAC system, yes the thieves broken in through the server that controlled the AC, and any of the corporate severs. This HVAC system would only be known to the VPN server, all other servers would shun it's existence because the default action in their SNI would be deny, if you weren't on the approved IP list to connect with a given server you'd be out of luck.

So does a Secure Network Interface (SNI) exist today? Yes,  Solarflare has a brand new software product called SolarSecure that installs a high performance packet filter in the silicon of the server network adapter.  For now you can click on this link to learn more.  In the near future another Blog entry will explain the amazing capabilities of this exciting new technology.

No comments:

Post a Comment