Network security – a relic in a Zero Trust world or… not quite yet?

The picture (not sure of the source) made me chuckle, but it’s an interesting topic, fairly close to my heart (having worked as a network architect for many years). Is that really true, that we don’t need network guys anymore? Let’s take a closer look.

Network security

What is network security? Long story short it’s how we segment our networks and secure the traffic with devices like routers, firewalls, VPN concentrators etc. At least once in our professional career we’ve heard that an application didn’t work due to an issue on the firewall. Network and communications became a security domain and an important element of all of our deployments. We built a whole culture of network wizards who were the guardians of our front door – the first line of defence.

We somehow assumed that everything inside our perimeter is secure and the threats are external. It was very common by enterprises to enforce encryption over public networks, but for any traffic contained in the datacenter, it was not deemed necessary. In fact we specifically did not do it because it affected performance and it also presented a challenge for the Intrusion Detection and Prevention Systems (IDS & IPS).

Flat network topology

As our workloads started moving to cloud we noticed that the network topology started to flatten. The firewalling concept moved from network-level to host-level filtering. I remember attending an AWS immersion day, where for the first time ‘the cloud way’ really made me feel uncomfortable, thinking my craft (I was a network architect at the time) was simply fading to black. I couldn’t understand why we would move away from the efficiency of a network level firewall policy to the of policies to individual virtual machines. Datacenter virtualisation technology was available for some time and a fair way ahead of the public cloud offering in the networking domain.

As I was working with cloud architecture relentlessly trying to defend the status-quo, the message was too strong and we submitted to the new, flat-ish, host based firewall cloud networking. The concepts of DMZ (demilitarised zone), service zone, application zone, database zone have somewhat gone into two classifications only – public and private.

Evolution of code

We have been evolving quickly and these days vulnerabilities are far more exploitable than they were in the past. The surface area of that attack changed due to rapid spread of malware and ransomware – a true digital pandemic, to which we are subject, virtually everywhere. The threat is no longer external only and Zero-Trust model addressed just that. We are not trusting anything, anywhere, unless authenticated and authorised. Every flow, every subject goes through the same security process regardless of where it originates from. We encrypt everything (worth protecting) both in transit and at rest.

But if that’s the case, where is the network security? Has it gone completely from our landscape? Is it true that Zero-Trust is the complete opposite to perimeter (network) security? Fear not generations of network engineers working in security, your days are far from over!

Network segmentation

If you pursue a career in security management you will stumble upon incident response. To the surprise of many, catching the bad guy isn’t actually THE top priority. We need to confirm the incident and the first thing we do is… isolate it. Let’s look at a simple example – ransomware spread. The infected host goes out on a quest to find more victims. How can we isolate a host or a network without any segmentation? The answer is – we can not. Our networks should be big enough to accommodate growth and auto-scaling, but small enough to be able to divide the systems based on some sort of criteria. This could be an application or an application type, system type (database or web server) or simply a number (e.g. 60 nodes). Security groups concept still applies, but we now have the ability to completely isolate part of our infrastructure with one change. It’s also worth having that isolation rule pre-defined and disabled, so there’s no guessing or engineering required when the incident occurs. Segmenting different environment types may prevent operational issues, not just the one that are security related. I have seen pre-production applications trying to sync with their production counterparts, rendering products unavailable.

Standard, well known ports and port translation.

A good ransomware goes undetected until it has spread extensively and it’s good to strike. Even a simple Intrusion Detection System (IDS) would detect a full network scan, so it’s usually standard ports being checked as part of the reconnaissance process. By moving known services (e.g. SSH, RDP, SMB) to non-standard ports you give yourself a chance of avoiding the spread of the malware. You don’t reduce the surface area of the attack, but you are moving it. In some cases that may just be enough to stop the spread access network segments.

You may say – this is security by obscurity and not a real countermeasure, but is it really so uncommon? Imagine going shopping. You park your car and you lock it. Your car has the immobiliser built in, so theoretically speaking a non-sophisticated offender can’t drive off simply by brute forcing the way through the locks or windows. Physical barrier of the car door is actually really weak. Does that mean we don’t lock the doors? Of course not!

Bridge to legacy

In Zero-Trust model we encrypt data in transit, but there may be legacy applications that the business requires, that cannot support encryption. Our good, old friend VPN will help to bridge the gap until we can remove the technical debt completely.

Modern network security controls in cloud environments

The public cloud solutions have been developing from the perspective of CPU and memory virtualisation, but the network virtualisation somewhat lacked. Perhaps we tried to make the network look like an application and to certain point it worked, but it wasn’t sufficient for multicast and third party connections or non-public connections between separate cloud accounts. What we see now is that cloud providers caught up and started introducing what we thought were dated security controls. In AWS for instance – Transit Gateway has been received with open arms by many and the VPC firewall was just the cherry on top. It allowed for true network virtualisation with the network security controls we knew from on-prem world. Turns out – Zero Trust is NOT mutually exclusive with network security!