One critical decision that executives need to make when assessing their data center architecture is their approach to software vulnerability management across all network components. Vulnerability management primarily revolves around selecting an efficient and modern software management strategy. There are several ways to execute on a software management strategy, and I believe disaggregation is a critical first step in doing it right.
In this post, I want to take a minute to first share my thoughts on the vulnerability management trends I’ve noticed. I will argue that a) you need to prioritize the network in how you manage vulnerabilities and b) disaggregation is the only way to do it properly. We’ll also take a look at the reasons why I think we never had the right framework to manage software delivery, making vulnerability management a challenge on platforms that are closed in nature.
Operations at the core of vulnerability management
Three weeks ago, I joined 40,000 security professionals in San Francisco to attend the biggest gathering of security conscious professionals — RSA Conference. While there were several presentations and moments from the event that stood out, one that caught my eye was a presentation that discussed challenges in the industry on managing security vulnerabilities (I highly recommend checking out the entire presentation to get a better view of issues in the industry). The speaker defined vulnerability management as a maintenance and management task that begins and ends with operations. So how can a business ensure state-of-the art operations to battle vulnerabilities?
I have been advocating infrastructure security in the world of networking for a while because it has always been an afterthought, reserved for topics like DDoS, firewalls and network admission, and rarely for securing the network infrastructure itself. When it comes to infrastructure security, the key to success is selecting an architecture that aims to simplify operations by leveraging state-of-the-art methods for software management and automation. And that’s where the network comes in.
Recently, we have seen a staggering 600% increase in attacks targeting routers, switches and IoT devices. In fact, last month, Homeland security and the FBI issued an official alert towards state-sponsored cyber actors targeting network infrastructure devices. It’s time for executives to start focusing on the security of their networks.
Servers and disaggregation: what happened?
The server world is a parallel universe to networking, but it moves much faster. Historically, servers quickly changed gears towards having more choices when it comes to hardware and software bundling, the server world took the step to disaggregate and simplify their software a long time ago. Instead of disaggregating the platform, re-using existing innovations, and adopting solutions from the server and application world into their platform, legacy hardware vendors decided to build their own operating system.
Refusing to move to modern platforms, they left themselves and their consumers in a tricky situation, with a big bloated set of problems — problems that are deeply inherited in the delivery mechanism of their application: the operating system. In that way, legacy networking platforms became the lowest common denominator among servers, storage, security, voice, video and all sorts of technologies that an enterprise adopts around networking.
Since everything connects to the network and all facets of IT moves together, having a legacy network architecture present in an enterprise, is a subtle constraint that forces operations to build everything around the limitations and pace of the lowest common denominator — the network.
Dependency on proprietary patches is a dangerous game
Security vulnerabilities are usually software bugs, and it is the nature of software to have bugs. But in those occasions, where we have a batch announcement of 34 vulnerabilities that need to patched right away, C-level executives need to reconsider their software management strategy for platforms they operate.
In my opinion, legacy networking vendors lack innovation in different areas — a lot of development took place in routing and switching protocols, but not as much for software operation and management. Software development and innovation on an operating system built in the nineties will naturally incur some technical debt and with the nature of any debt, it can accumulate ‘interest’, making it harder to innovate later on. A small example that is relevant to all networking folks is the challenge of managing software, configuration and operation data on legacy platforms.
Why does this matter? Well, let’s say you’re dealing with a scenario like the one previously mentioned: you’ve got 34 vulnerabilities in your network and you need a patch ASAP. With legacy vendors, you’re dealing with a waiting game. You’re completely dependent on your proprietary vendor knowing about the issues, detecting the cause of the issues, fixing the issues and then sending you a new package containing the fix. With absolutely zero visibility into the closed network, there’s not even a way for you to solve the issue on your own. If you’re looking to minimize security vulnerabilities, you need a more immediate solution than what proprietary support offers.
Thanks to the disaggregated nature of Linux networking, you don’t have to worry about putting your network’s security in the hands of someone else. In addition to having the ability to look into the network and fix issues immediately, you are also able to leverage the entire Linux community. The most widely cited benefit of having a community of 50,000 behind you is security. Hundreds, maybe thousands of engineers are looking for a way to remediate the issue. Within hours, a glitch can be found, diagnosed and patched.
Automating software deployment is critical for vulnerability management
Proprietary vendors’ need for their model to rely on vendor lock-in means that customers don’t have the flexibility they need to leverage automation tooling, such as Ansible, Puppet and Chef, as they see fit. If automation is a critical part of securing your infrastructure, it follows that being restricted on how you leverage automation could pose some serious risks. Fortunately, you don’t have to worry about that with disaggregation. The freedom, customization and ability to leverage existing tooling that separating software from hardware allows lets you build your automation solution as you see fit — no need to depend on proprietary solutions that don’t cater to your specific needs.
The process to manage software on modern platforms becomes efficient when the operating system in place is built with standard application packaging and automation tooling in mind from the beginning. Using older platforms that never had a chance to incorporate all the modern architecture innovations, makes it difficult to deploy fixes, which is why choosing anything other than an open network poses security risks. If you’re worried about your legacy platform isn’t doing the job (and it probably isn’t), consider these important risk assessment questions:
1. Is your platform running a modular, multi-user operating system with security natively built into it?
2. Are patches frequently released, and how easy is it to install a patch?
3. If the vendor delays issuing of patches, are we capable of patching software on our own?
4. Is there a standard package format for these patches?
5. Can my automation and security auditing frameworks work with these packages of patches?
6. Upgrading software on my network requires planning and validation — do we have tools to do that?
Legacy networks aren’t built for automation the way open alternatives are. So if you ask yourself these six questions and realize your platform isn’t optimized for automation, you may be seriously risking your infrastructure security.
From my perspective, it’s pretty clear that it’s time to start taking infrastructure security more seriously. And if automation, software management and punctual patches are the keys to effective software vulnerability management, then there’s no question that a disaggregated solution is best optimized for network security. Disaggregation and vulnerability management go hand-in-hand — so get onboard with open solutions if you want to keep your infrastructure safe.
Still curious about what open versus closed networking looks like, you should definitely check out our networking how-to video series. Watch as our web-scale networking experts show you side-by-side how configuring with a traditional NOS compares to configuring with an open NOS like Cumulus Linux.