SECURING VIRTUAL NETWORKS: A CONVERSATION WITH DWIGHT KOOP
Dwight Koop, CFO of Cohesive Networks
This article first appeared on The Journal of Cyber Policy on February 15, 2018 by Hugh Taylor
Hugh Taylor: Tell me a little bit about your background and the company you work for now.
Dwight Koop: I’m definitely a senior citizen and have been around for a while. Now, I am Chief Financial Officer of Cohesive Networks. We’re a software company that builds, in the simplest sense, firewalls, routers, switches—virtual appliances that are delivered as virtual machines into public and private Cloud environments.
In the early days of Amazon, there was plenty of innovation but not a lot of security, so one of our engineers started working on building a firewall on a virtual machine. In the early years most of the Chief Technology Officers of all the well-known multibillion dollar network appliance companies would meet with us, we’d tell them what we do and they’d pat us on the back and send us packing, explaining that real men only use hardware. Turns out they were wrong.
Hugh Taylor: What was the transition point? Was it that hardware became faster, the generic hardware became faster or something?
Dwight Koop: Well there is still purpose-built hardware out there, but this has been going on for a long time. First, companies build specialized hardware. Then, it gets commercialized. Like, financial firms used to build very specialized data storage, refrigerator sized boxes filled with disk drives. And what do you know, now a teenager can build one much bigger. I’ve got four terabytes sitting next to me on my desk from Apple that was practically free it was so cheap.
Specialized hardware – you know there’ll be another one tomorrow, but all of those things eventually get commercialized. And what I think a lot of people have discovered over the years is that from specialized hardware targeting a B to B enterprise market to consumer retail product in technology is a fairly quick lifecycle. And our collective view – the sort of Cohesive view of the world – if you’re going to go buy something, buy the thing that’s sold in a retail store to lots and lots of consumers because the testing has been done for you and the bugs have been found. Right?
Hugh Taylor: The question I guess I have then is as products become commercialized and they start being built on commodity hardware, does that make them more secure or less secure? It seems like it could go both ways.
Dwight Koop: Yup. It can go both ways and – a bit of a tangent, but I think a significant part of the response to what you’re saying stems out of the world of cyber security. If you go look at a cyber security textbook it basically says if it isn’t open-sourced it isn’t any good. Now that relates specifically to cryptography, algorithms, et cetera, but that is an interesting point about open source and sort of commercialized and widely used. The more eyes on something, the more likely it is that bugs and flaws are going to get identified and addressed. I’m a strong advocate of the more eyes on something the more likely it is that it’ll work for me.
Hugh Taylor: Are there challenges in creating a firewall for a virtual network appliance? Are they different from a physical network appliance, physical firewall?
Dwight Koop: Yes there is a difference. The way to think about this is to look at the network stack diagrams. There are a couple variants, but they’re all six or seven layers. If it’s seven layers of the network, hardware is at “one,” the one and two level are moving stuff around wires. There are protocols and standards. You’re moving bits and bytes. And eventually you get up to what’s commonly called level seven, which is the applications layer.
What has transpired since Amazon began the idea of public cloud, with the transition from virtualization to multi-tenant virtualized compute is that you, the Cloud user, get access down only about halfway through layer three. You don’t have any knowledge of how anything under the hypervisor layer works or what it does.
As a result, we came out and said we really need to build application level firewalls, application layer security, and application layer intrusion detection. In many cases the pieces and parts are the same that you’d put into a hardware box that also can control the base layers. But that means you have to change your thinking about what it is you’re building. And in the past when you were selling a router as a box, the hard work from the traditional Phillips screwdriver as fingers, engineers that built those boxes was they put as much of the routing and switching and protection and security as far down in the stack as they could. Which worked fine, but also lends to a mentality of parameter firewalling, which the world has sort of figured out doesn’t help when you can phish your way in and take everything they have behind it. So segmentation and micro-segmentation are now common terminology.
Micro-segmentation is much more achievable when you have easy to deploy virtual routers as compared to the physical. Now, your router can follow your application. In a virtualized world, for little effort, you can build firewalls that have specific IP addresses that are task-based and sit there and say “yeah, I’m sorry the app server can only talk to the database server and the front end. It can’t do anything else.” So not only is my application firewalled, but the layers of my application are firewalled and now I’ve got role-based permissioning applications that can help me tie that thing down.
Then you move into this whole conversation about tunneling. And the whole point is, the quicker I can get my servers to be invisible from the rest of my own network the better. I don’t want somebody who works on the currency trading desk to even know where the HR Department’s servers are. It’s none of his business. Which you can do in today’s world. It used to be a lot of yellow wires strung on the back of machines. Then whenever you needed to switch one machine out somebody had to go somewhere and do something. Now you can sit at a desk and reroute the traffic.
Hugh Taylor: Let me ask you a hypothetical, let’s say the phone rings and it’s Donald Trump calling to say, “Dwight I want you to leave your company, come work with me. I’m going to give you unlimited money and any resource you need to make the United States more secure from a network perspective.” What would you do, I mean from a policy, what would you want to see happen to make the networks more secure?
Dwight Koop: Good question. And U.S. Government in the last four years or so actually has had Chief Information Officers, and I spent some time helping our clients understand the NIST Cyber Security framework. But there are a lot of compliance-oriented frameworks and requirements from NIST and everyone else. Standards like HIPAA and PCI DSS — actually tons of them and I think one time I went to see if I wanted to go get a certificate in information security and put credentials on my website it was like $230,000 if you bought all the ones that you could find by doing a quick search on the internet.
It’s a big business, and it’s broken down into writing standards, implementing standards, and auditing standards. The bigger your company is, the more staff and budgets you have to throw at that. I was at a US Secret Service Electronic Crimes Taskforce (ECTF) meeting recently, and there was this bubbling conversation and hand wringing around how too much of the security budget is going to governance and not enough to actually doing security.
Back to your question. People in the public sector say, “What we need to do is do away with all this secret cryptography and let’s just outlaw that.” Yeah, I don’t think that will work. Clearly one of the main uses of cryptography is to protect public safety. There seriously is no easy answer, but the other piece to this is we are still in a relatively early stage of networking and the Internet of Things [IoT].
Which brings me to IPv6. Now, we’ve created a network address and capability for every particle in the universe. Everything has a digital twin. So instead of a certain social security number, I have a network address as my identity. It’s a huge problem. And there’s no quick answer.
Hugh Taylor: I feel like the United States needs some kind of secure network. Imagine that the law and the regulations and technology come together, I want to get your impression of this idea, but that there is a thing called the secure network that is completely exists of American made equipment and in order to get onto it you have to authenticate your identity and location and your device. And there’s criminal penalties for misusing it and stuff and to let corporations start connecting to that and sort of disconnect corporate networks from the public internet.
Dwight Koop: Yup, I hear you and of course, that secure network if you expand on the larger side you could go from America to coalition forces. A million years ago in a land far away, I presented a paper to the Special Forces about asymmetric warfare and the use of public cloud computing in an offensive posture, which is still probably available somewhere on the internet. The world’s gone past me and figured it out. But, in getting ready to make that presentation I widened all of my comments to say coalition forces.
And going the other way, to the smaller side, there’s two irritating things under the saddle of any ideas like this: one of them is the man in the middle attack, which if you tell me what you’re doing I can find a group of people who will cook up a man in the middle strategy. The second thing is that there is always the insider breach. For example, if you take over the accounting department of a network, I imagine you can do anything you want.
IoT adds network complexity by making a new network IP address or a MAC address in a network. By the way, virtual machines and containers do not have MAC address. So, for Cohesive, we have come up with an approach we find useful for creating a virtual MAC address. Same man in the middle and spoofing are problems, but a bit of crypto and a distributed ledger might help.
Take a look at https://sovrin.org/library/trust-framework/. They are on the same track. Or, you could even sit there and say well, let’s shrink that down on the other side of your equation to say, the geopolitical boundaries as small as the United States or should it be even smaller? Which you can then sit there and say well, the credit card. Because PCI standards and compliance are run by a bunch of banks they have their own interests at heart. They are trying to protect the money that is on their credit card network. If you look at all the standards out there the one that is most explicit is PCI DSS.
The self-interest of the group of organizations that are in the credit card business trying to protect the credit card business turns out to be far more explicit in its standard settings, which leads me to your hypothesis, which is, well maybe shrink that down to supply chains that have self-interest as motivation.
Regarding your identity point, until you do something as rooted in wet signatures and real people and face-to-face communication and current identity, you will not have much of a solution. I think you are on the right track. With location, other than elaborate spoofing, I can figure out based on hops and the duration of the ping and my general knowledge of how the network works. If you say you’re in Chicago and you’re actually in India, I can figure it out by time delay. I cannot if you plant a server in Chicago and control it from India. And again, who do you talk to next about the sanctity of domain names and domain name registration and IP address allocations? If a server from Hewlett Packard interacts with me I know which group of IP addresses in theory belong to HP, that would be a nice way to be a little more comfortable. I don’t know how many times a day I get an email reminding me that I need to go collect my Amazon bonus $50. But, the address it’s from crookedpeopleontheinternet.com. Now, if they were smart they’d figure out a way to spoof the domain name and then they could spoof the IP address and they might get me if they could just form a sentence in English.
This article first appeared on The Journal of Cyber Policy on February 15, 2018 by Hugh Taylor
By: Margaret Valtierra