The telecommunications industry faces unique challenges as its networks evolve and crackers adjust their exploits. The newest challenges stem from the emergence of the IoT, software-defined networks and network functions virtualization, according to Masergy's Ray Watson.
SDN and NFV consolidate access, which simultaneously offers a path to better security and increases the potential damage of any specific breach, says Watson, the vice president for global technology at Masergy Communications Inc. In the first of a two-part Q&A, Watson told Telco Transformation that the dynamics are different than in the legacy world, but many of the core attacks are the same.
Telco Transformation: SDN/NFV on one hand and the IoT on the other seem significantly different from the security perspective. Should we treat them separately?
Ray Watson: We should treat those two things separately. When it comes to talking about SDN/NFV, the reason that security is foremost on everyone's mind is probably best illustrated with an analogy.
If someone carjacks a car, that's a horrific thing. We certainly want to do everything we can to prevent carjacking. But it's an entirely different thing if someone takes over an air traffic control tower and is able to maliciously direct a hundred planes.
So it's really just an order of magnitude different on the stakes. If you think in terms of a controller or an orchestrator being hijacked the potential for either theft of service or malice is not necessarily different. But it certainly magnified because of the overall scale.
Most carriers would tell you that in some ways they would almost rather face a spectacular attack -- one that they know about immediately and can respond to -- versus someone stealing or siphoning off service quietly over years and years without them knowing. That's the "drip, drip, drip" theft of service versus the flood scenario.
So, the nightmare scenario for SDN and NFV is a widespread exploit that could be deployed either very slowly across time by one or two threat actors, or very intensely. That’s WannaCry-type intensity that would be service affecting and customer effecting.
TT: Are the attacks on SDN/NFV qualitatively different than on legacy networks or are they doing the same things, just being tweaked for a new environment?
RW: I would say it's the second thing. In NFV for example you're talking about general purpose computers that are sitting in a thousand places. Those computers can be hijacked to do things like denial of service attacks. They can mine cryptocurrency, like Bitcoin mining. They could be used to launch other types of attacks. Or they could be used for theft of information, such as exfiltration of customer info.
This ties to the Internet of Things. The dilemma we see around IoT is what we are afraid we're going to see around NFV: Things shipped insecure by default and becoming an attractive nuisance first and an actual threat vector second.
Suppose I send you an entire box of Oreo cookies that are not sealed. So, you put that on your counter, it's pretty much guaranteed it's going to attract ants in a day or two. Your whole kitchen is going to get ants. It's not just the Oreos that gets the ants, it's everything that gets the ants. Well, those Internet of Things cameras are a lot of Oreos.
So that fear around SDN/NFV is, first, that it might attract bad guys because it's usually a Linux machine that can do anything else a Linux machine can do. The second is the novelty. Any new technology needs to have security baked in from day zero. If not, our experience tells us that it is extremely likely that there will come a day that somebody uses it for malicious purposes.
TT: What exploits are being seen?
RW: The same exploits are being used. It's brute-force password guessing, it's SQL injection, it's cross-site scripting. All of the same tools are being utilized that were used before. They may also be new and novel tools. For example, the recent jailbreak of an Apple Watch uses a technique that has really never been seen before because there's no serial port and no plug for the watch. But once it actually uses that it immediately goes back to the same tools that have always been used. In the case of things like thermostats and cameras, it's simple credential theft. So, everything old is new again.
TT: What is the first step in avoiding this scary future?
RW: The hope is that a properly configured SDN/NFV network will only allow bastion hosts, which means it only allows known IPs to connect to it. It's basically a computer hosting only one application and being very limiting in what is allowed to connect to it.
TT: So kind of a sandboxing kind of thing?
RW: Very much so. So that you only allow connections for a very singular purpose. But, that's not what most of these devices by default are following. By default, they're allowing connections from anywhere to anything.
Now most of the SDN/NFV orchestration standards do require specific limits as to who can connect, and where they connect from, what kind of encryption is used and things like that. That's primarily because we're all so super-duper paranoid about something being able to break in and run amok.
So, in theory, the SDN/NFV folks have thought this through and are way further along than the IoT folks. Because in the IOT, it's the wild, wild west out there. Like, everybody's just doing anything they can to ship as soon as they possibly can, and then think about security in version two or version three.
TT: Huge amounts of insecure IoT endpoints are shipping today. Does this mean that there will be a need to insert a security layer between the networks and those endpoints?
RW: Yeah, you can do that today... That's a great strategy. That's network segmentation, or sometimes it's bifurcation if you have a trusted and an untrusted network.
At my company, for instance, we put everyone's IoT on a separate VLAN and a separate DHCP pool so that it's not on the same network as your core data center applications. Where it gets a little challenging for IoT deployments is, in many cases, the administrators don't even know what IoT devices are on their network. Devices may not be corporate owned or corporate controlled.
What you're talking about -- segmentation -- it's not the end-all strategy but certainly is a start for minimizing risk. We can't eliminate risk. It's just like the ant analogy. You can't completely eliminate the possibility of bugs getting in your house, but there are certainly things you can do around food hygiene. All of those pieces will certainly help. Keeping your food only in the pantry is exactly what you're talking about. You're talking about segmenting where things are, so that you can better control what people would be attracted to.
— Carl Weinschenk, Contributing Writer, Telco Transformation