Prevent lateral attacks inside the data center with a defense-in-depth hardware layer

IT departments tend to be concerned primarily with cybersecurity attacks that originate from outside the enterprise, known as a “north-south” attacks. This often leaves them more vulnerable to even more dangerous attackers who use phishing, malware or click-bait to access desktops, laptops and other endpoints.

They then use these compromised endpoints as beachheads for moving laterally from server to server throughout the enterprise. These “east-west” attacks have led to some of the world’s highest-profile and most damaging data breaches.

East-west attacks have typically defied detection and been extremely difficult to stop once launched. But now there is a new way to combat them using integrated network protection solutions that create a new defense-in-depth hardware security layer.

This additional security layer binds each server’s hardware firewall to a central controller for implementing application-level network segmentation to detect, classify and mitigate threats. Equally important, the new layer delivers this protection without diminishing performance or creating an additional attack surface, as is the case with today’s software-based solutions.

Special dangers of east-west attacks

Network traffic moving between servers is increasingly vulnerable to attacks. Cybercriminals first locate an entry point inside the data center and then use it as a foothold from which to launch lateral attacks on these internal servers.

It has been estimated that by 2021 this east-west traffic within and between data centers will account for as much as 85 percent of total data center traffic. An east-west attack is typically launched from a valid internal platform. The attacker is frequently using hijacked credentials, and there is very little to distinguish the perpetrator from a trusted user. When these trusted users have elevated privileges, which they often do, the fraudsters using their credentials almost always permanently erases any audit trails. Detecting these attacks as they happen has become increasingly critical.

Improving a proven defense

Data center operators have tried to combat east-west attacks using application-level network segmentation to place boundaries and alerts on all flows for threat detection, classification and mitigation. The problem with these solutions is that they are implemented in software, which requires 15,000+ x86 CPU cycles to filter each in-coming network packet. Software-based application-level network segmentation also presents a hacker with an attackable software surface. Any reasonably knowledgeable hacker can easily disable the typical OS-based firewall.

These vulnerabilities that accompany software-based application-level network segmentation can be eliminated with an extended defense-in-depth hardware approach which also improves system performance. Today’s integrated network protection solutions implement this approach by combining built-in hardware firewalling with centralized security policy management capabilities.

The solutions do all the work of gathering, transmitting and acting on flows without consuming any CPU cycles. They also are up to ten times faster than any firewall appliance, adding a maximum of 200 to 700 nanoseconds (ns) of latency. Their distributed hardware architecture is also inherently high-capacity and infinitely scalable. Unlike traditional firewalls, they won’t slow down applications by creating data chokepoints within the data center network.

This defense-in-depth hardware approach is also more secure. The integrated network protection solution’s adapter is bound to its command-and-control mechanism. As it begins reporting new application flows, these flows are used to establish new security policies that are broken down into individual firewall rules. All operations are protected within the server’s own tamper-resistant NIC platform.

After establishing remote control, the local control plane used to view and manage the NIC’s hardware filter table is torn down. It is then impossible to locally modify the onboard filter tables. Even if attackers can escalate their privilege to superuser or administrator level, the local pathways for accessing the server’s adapter-based filters are physically torn down. If an attacker attempts to tamper with an adapter it will disable itself and trigger an alert.

There also is no software footprint that an attack or malware can compromise. Before any firmware is loaded its authenticity is validated. Even attackers with root permission cannot modify or disable these solutions – only production ports can be seen on the network. All other server connections can be configured to provide attackers with no usable information with which to continue their assaults. The entire platform is protected, from the host to all firmware and on through the command-and-control framework and the adapter.

Data center operators already know the benefits of application-level network segmentation. Now they can realize these benefits while moving beyond the security and performance weaknesses of OS-based server firewalls.

The latest integrated network protection solutions implement application-level network segmentation using a defense-in-depth hardware approach, essentially hardening servers at what has become the new network edge. They transform servers into a critical line of defense for protecting today’s growing volumes of vulnerable network traffic moving laterally inside and between data centers.