Network Virtualization

Subscribe to Network Virtualization: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Network Virtualization: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

netvirt Authors: Yeshim Deniz, Moshe Kranc, Pat Romanski, Elizabeth White, Daniel Gordon

Related Topics: Cloud Computing, Security Journal, Network Virtualization


Reinventing the Handshake | @CloudExpo #Cloud #Security

The concept of brokered or arbitrated connection management has taken hold in the form of the connectivity model

My father used to tell me that the key to success in life was to look people in the eye and give them a firm handshake. But the art of the handshake seems to have died in my generation. I grew up in the era of high fives, forearm smashes and fist pumps. I played baseball, so there were also a lot of butt pats, (but let's not go into that). It seems like the importance of handshakes and eye-to-eye contact have diminished even further in my daughter's generation. Every day I watch her friends look down at their smartphones while texting each other "omg hi bff" as they greet each other at school or at the mall.

My father is gone now. But he wouldn't like that.

It seems like the nature of handshakes is changing in the world of networking security as well, but in this case it is a good trend.

To explain that, let me provide some background. We all know that TCP/IP-based networking has proven to be hugely scalable and flexible. There are several reasons for that. One is the separation of responsibility between the network layer (IP) and the connection layer (usually TCP, sometimes UDP). The network layer focuses on efficiently moving packets from point A to point B on a large scale. The connection layer focuses on establishing and optimizing data transfer between point A and point B. Has it worked? Hundreds of millions of connected endpoints, moving steadily towards tens of billions, would tell you it has.

Up until now, the trick at the connection layer was to allow point A and point B to create a connection between them using a bi-directional handshake. That way, billions of different point A's across the world can independently be connecting with billions of different points B's across the world with no shared resource getting in the way other than the luck of the draw of common path elements (e.g., common network links, shared servers).

This has created great scale. But ... it has also led to almost all of the network-related cybersecurity issues we struggle with today.

This is why the concept of brokered or arbitrated connection management has taken hold in the form of the connectivity model. Named Software Defined Perimeter (SDP), this model is being promoted by Cloud Security Alliance. Using SDP, applications, services, and servers are isolated from users (or other servers or IoT devices) by an SDP Gateway, which is a dynamically configured TCP Gateway. There is no connectivity that can be directly created via the traditional bi-directional handshake. The Gateway rejects all attempts at establishing connectivity unless users and endpoints are "pre-approved" by a third-party arbitrator. This third-party role is played by the SDP Controller. Endpoints desiring connectivity to a destination protected by an SDP Gateway don't bother to send a connection request to that destination. Instead they "apply" for connectivity to the SDP Controller, who determines if they are trusted.

Trust assessment means device authentication, user authentication, and a set of context-based information that will continue to expand over time - location, BYOD vs. managed device, software posture, software integrity, etc. The goal is to evaluate overall trust as much as possible before allowing connectivity. If satisfied, the SDP Gateway dynamically configures the TCP Gateways to allow connectivity to trusted authorized users. The systems isolated and protected by the SDP gateways are never exposed to attackers who have stolen credentials. They are also exposed to unauthorized users looking to exploit server or application vulnerabilities, trying to move laterally in a persistent search for access to sensitive data, or just want to deny service to others via bandwidth or resource starvation attacks.

Call it what you will; three-way handshake, arbitrated connection control, brokered connection management. Vocabulary may vary until the world agrees on some common terms. But no matter what you call it, one adjective applies - powerful.

My father would be happy that the handshake is back and even better than ever.

More Stories By Mark Hoover

Mark Hoover is CEO of Vidder Security. He has been involved in the technology and market development of security and networking technologies over a period of almost 30 years, including Firewalls, VPNs, IP routing, ATM, Gigabit Ethernet Switching, and load balancers.

Most recently, he has been a Venture Partner at Woodside Fund for two years. Prior to that he was the president of Acuitive, a strategic marketing consulting firm that helped define product and market strategies for start-ups, including Brocade, Alteon Websystems, Netscreen, Maverick Semiconductor, Redline Networks, and many others. He started his career at AT&T Bell Labs and moved to SynOptics/Bay Networks before founding Acuitive.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.