Alternative InfoSec Career Recommendations

Alternative InfoSec Career Recommendations

I have been in InfoSec for a long time, so people seem to think I can dispense sage wisdom on their Information Security careers for themselves or their kids. So instead of answering each one individually I thought I would sum up my 40 years of experience here in order to share and reference it in the future. 

I can summarize my sage wisdom in Two Words “Soft Skills”

In my career some of the best InfoSec colleagues I have known are those that could make me laugh, build trust, serve others, had deep integrity, build consensus, win-win negotiation, improvise and remain calm in tense situations, speak in clear simple short phrases, draw pictures, use analogies, prioritize based on objectives and had my back in good days and bad. 

Why are these skills so important in an InfoSec career? 

If you are about to take on University courses, you can eventually learn to hack, write scripts, click deploy, write a policy document, be the tech hero in an attack scenario, etc. Smart lone wolves are valuable in certain situations but they can never hold back waves of nation state attackers. They are only a tactical defense, a sniper in a WWZ zombie movie.

Whether it’s defending against lone hackers living in their mom’s basement with all the time in the world or a nation state team attacking critical infrastructure, group think is the only enduring defense. For me Information Security is 75% people skills and 25% technical. People that have the ability to encourage cooperative groupthink in both strategic and tense tactical situations are the true InfoSec professionals for whom I uphold the greatest respect.

In the old days, production deployments took 6 months to 1 year. We had time to familiarize ourselves with the product and observe its normal and abnormal behaviors and recommend security modifications. In these days of agile CICD development and 2 week sprints, deployments happen several times a day. Traditional InfoSec defenses can no longer keep up with the velocity of software deployments. The application and the developers are our new firewall. Shifting Left into the development teams is the ONLY enduring strategic defense. As true InfoSec professionals we have to embed ourselves into the development teams or we will be spending our careers believing we are Kim Yo Jong’s issuing decrees that our loyal followers will blindly embrace.

Ask yourself…Can You?

Development	Can you convince a development team that has 2 week sprints to implement their own security reviews on pull requests, include security sensors (not related to their primary objective) in the application, remove secrets from their code, remediate vulnerabilities detected by DAST, SAST, SCA in the CICD pipelines? Remember, developers are financially incentivized to produce functionality. Security tasks just create more bugs, slower code, slower sprints, more testing, more complexity, pissed off marketing people, etc.
Operations	Can you detect abnormal behavior in an app that has a production release every day with new functionality?
Incident Response	Can you guide an incident response team which includes non-security personnel, through an distributed attack scenario where groupthink and info sharing is critical?
Architecture	Can you motivate your architecture team to re-architect a broken authentication infrastructure?
Management	Can you convince management and marketing to incentivize not just functionality but also security efforts? Remember, functionality produces cash flow, security features are a liability.

All the above scenarios require years of experience and patience, so you might as well start developing a collaborative personality now. Python, infrastructure-as-code templates, buffer overflows, CICD pipelines can be mastered in months and as you move through your career you will forget some technical skills as you learn new ones. But soft skills are enduring. You will always build upon and refine soft skills in order to solve the above scenarios.

Of course you will require University InfoSec basics, but as you choose your electives, mentors or outside activities I suggest you think long term with some non-traditional alternatives. These are my recommendations for skills that you will use throughout your career and gain true lasting respect from your peers:

Books
	Negotiation	Look for the long term win-win, not just a path that feeds your ego or people will avoid you in the future
	Building Personal Relationships	Trust is the foundation for any security program. If people do not trust you, they will go around you or ignore you. Look up Dr. Gottman books. Changed my world in life, love and work relationships.
	Motivation and Leadership	Get others to believe they are the masters of their destiny and you will always have their back.
	Business Finance	Money – not logic – rules the world. Get used to it and learn to play within its boundaries.
	Anger Management	Replace your ego with laughter and you will win many battles. Praise in public, admonish in private.
	Priority Management	Learn to prioritize based on cost/benefit/threat/risk/impact
	Sales Techniques	Just because you have a good idea, does not mean people will back it. Learn how to sell your ideas by getting people to buy into it.
Activity
	Improvisation	Get outside your head and learn flexibility, thinking fast, anticipate others thoughts and movements, playing into the big picture
	Comedy classes	Making others laugh is worth 1000’s of pages of security policy manuals. Make people laugh at your faults, believe me you have a lot of material to work with there.
	Rock Climbing	Team building, trust, risk management, focus
	Art classes	Express your ideas in pictures instead of 1000 words
	Listening exercises	You listen but do you hear? Do you really understand what developers and management are struggling with? Until you do, you will not be able to fit your agenda into the business solution.
	Escape rooms	How to work together in teams in tense situations to solve problems. Can you lead the team?
Communication
	Draw cartoons	Express your ideas in pictures to capture attention and tell a story with humor
	Public Speaking	Can you capture a crowd explaining what information security is? Can you make them laugh so hard they cry? Will they go home and tell their friends and family?
	Teach with Pictures	Try teaching your parents, spouse, kids a topic you are interested in only with pictures and no words. Then see if they can repeat the lesson to someone else.
Technical
	Powerpoint	Become a powerpoint expert with pictures. Tell a story. Get rid of the details. Add animation. Capture attention. This is how you sell your ideas.
	Excel	Become an Excel expert. Pivot tables, graphs. You have to put your statistics/probability courses into real life to prove your ideas with numbers. Like Powerpoint, it captures attention but with facts.
	3d animation.	Be a 3d Blender expert. Great skill for both building websites and presentations. Once again, it captures attention.

These soft skills will not only help you in your career but also with personal relationships. And that is what is sorely needed in building the next generation of human firewalls.

Many thanks to Gene Leonard, my mentor for showing me the way.

HTTPS Inspection – The Dark Side

So been playing with HTTPS Inspection on Squid and CP for URL filtering lately and am starting to understand why people avoid it. This is not a CP problem, but an industry problem. Sort of like when IPSEC came out, your IPSEC never talked to my IPSEC. Only HTTPS Inspection has been around since I had hair and I’m not sure we are any closer to nirvana then we were before.

So basically – HTTPS Inspection is where the proxy is a Man-In-The-Middle between a client and a server.  The proxy can then decrypt and inspect all data in the tunnel. Google will give tons of details so I won’t bore you. The key here is the certificates. How does the client get WELLSFARGO.COM server certificate if the proxy is in the middle and acting as the client? Well, the proxy generates a fake WELLSFARGO.COM certificate and sends it to the client. Here is a good diagram and slide show of how the fake cert is created and sent to the client. You might also want to research HTTPS CONNECT where the client connects to the proxy server for the HTTPS tunnel.

All sounds easy-peasy huh??? Not so quick…Before embarking on this journey I tried to google what are all the problems of forcing clients to install a new cert and proxy through a HTTPS Inspecting gateway. Only got bits and pieces. So here is my list of the fun times I am having doing HTTPS Inspection:

 

• How do you work with humans that don’t even know what a cert is? Much less a proxy? How many times do you get the same phone call “What is a cert? Proxy what?”. Yeah deployment was automated via AD and magic just happened….right. Problem is there are too many pieces and unique components..proxies, certs, AD, Linux, OpenSSL, JavaCertStores, pinned certs, that automation will only get 80% and the others are YOUR phone call.
• Client desktops are locked down. Have fun installing those certs or fixing problems for the client in Zambia speaking Bemba on a locked down desktop.
• Not all servers use Windows so installing certs via command line on TinyLinux version .00000003  will be a great time.
• Some applications use Java cert store or OpenSSL cert store or Bob and Jimbo’s cert store version 0.45. So make sure you install the right cert into the right cert stores.
• Some clients apps just will not use fake signed certs signed by the proxy server.  They are pinned  and will only use the original cert and not one generated by the proxy server. 
• BS you say. My ORG has AD or other friggin magic and we already distributed an ORG public cert to all our clients. That’s all you have to do is setup the proxy to sign certs as the ORG CA and wham-bam thank you mam its done. OK, so that means giving the ORG private key to the proxy server. Let me say that again….the ORG PRIVATE key. How do you control use of that private key? How do you know the proxy admin is not deep into hookers and blow and accidentally sends the private key to all his Russian friends? And malware these days are looking for private keys like crazy…is the proxy server secured???
• No problem you say, I’ll just buy some fancy FIPS 140-2 certified  $1billion Hardware Security Module HSM with 126 pretty blinking lights and hook it up and push the GAZUNGA easy button to store all the private keys. HAHAHAHAH. Oh you make me laugh geek boy. Yet more technology on technology on technology. Have fun with that when it breaks. Interoperability, supportability, debugging, etc.
• Speed. Generating fake certs and decrypting SSL kills CPUs. No problem you say, my vendor has XL5Billion hardware accelerator developed by some Nigerian guy for the KGB. HAHAHAHAHAH. You so funny. See above.
• After your vendor wines and dines you with hookers and blow and single malt, in your drunken stupor ask them to allow you to log into their support site and type in HTTPS inspection or SSL decryption.

 

So my cost/benefit analysis is pretty negative right now as I work through all these HTTPS issues. I’ll keep you updated.

 

 

 

How To Change CMA/Domain Name – Preserve SIC

Our local MDS god figured this out. Renaming CMA/Domains

Verified on R77.10.

Note this procedure preserves SIC.

Check Point says this procedure is OK as long as the global policy doesn’t change under you.

 

1. Remove CLM from FW cluster object logging.
2. Old logs:
   1. User Tracker on CLM to issue log switch.
   2. Back up CLM logs (optional).
   3. Make sure to use “p” option to preserve log file timestamps:

“cp –p 2016* /var/temp-logs/”

3. Delete CLM via MDG.
4. Take CMA backup:
   1. mdsenv cma-xyz
   2. cd $FWDIR/bin/upgrade_tools
   3. ./migrate export /var/export_cma-xyz.tgz
5. Delete entire old domain containing CMA.
6. Create new domain & CMA with new names.
   1. Make sure GUI-clients is “any”.
   2. Use same IP address as old CMA so FW still talks to same CMA IP.
   3. Don’t start the CMA till after the import below.
7. Import CMA objects using file /var/export_cma-xyz.tgz.
   1. Click “continue” to the global policy warning.
8. Assign new CMA to appropriate global policy.
9. Create CLM with new names.  Copy logs back in.
10. Tell cluster to send logs to new CLM.
    1. Push policy
    2. Install database.

The World is Changing and so am I

The Cloud. Its Coming. Torpedo is in the tube and you are a WWII lumbering oil tanker. You will be automated like a $15 minimum wage McDonalds burger flipper.

I switched gigs and and am now working a cloud security gig. My Check Point role is diminished 50%…but worse I no longer have access to my #1 diamond support guy Taylor who fed me all the good juicy techie fixes that I shared with you all.

SOOOOO, not sure what the future blog will look like at this point, but the CP focused techie posts will be reduced and you’ll see more Cloud security chatter. Worst case you still have the archives.

Administrator Audit Made Easy – Create CSV of MDS user permissions

Darn auditors want to know who has what permissions in MDS……but want it in a spreadsheet! What’s up with that old technology?

Here it is, a matrix of users and their permissions.

Python Program #2: Adminparser

NOTE: Goes hand in hand with my Cparser module.

Hopefully this will be easier with the R80 REST interface.

Audit OUT!

dreez

Zero Downtime Upgrade between major versions WITH/OUT dynamic routing

Good news:Can be done possible
Bad news: This is work in progress, hope to update with pictures. If you call CP support, they might be able to fish up the document.

Overview:

1. Go through CP steps for zero time upgrades. But don’t take them toooooo seriously or you will have surprises. Make sure you do these steps.
2. Run the upgrade on the standby – DO NOT REBOOT
3. If you have to copy fwkern.conf from the ACTIVE member ..do it now
4. control_bootsec – install initial policy and makes sure that the default filter (bricks the firewall) is not loaded. Run from UPGRADE file system, not old file system.

   cd /opt/CPsuite-R77/fw1/bin

   bash

   control_bootsec

5. Reboot standby
6. Standby comes back up “Active Attention” – no problem has no cluster policy
7. In dynamic routing, if you have “Wait for Clustering” enabled. Disable it. Let the routed startup without a cluster
8. Start/Stop routed:
   tellpm process:routed
   tellpm process:routed t
9. On mgt server change policy to latest version  R77.10/20/30 and push to upgraded member (uncheck mark in policy install for cluster push). Upgraded member now knows it has to be part of a cluster. It will go to READY state, waiting for the failover
10. Use this script to export the routes off the ACTIVE firewall onto the Standby firewall. It will turn them into STATIC routes. NOTE: There is no ‘save config’ at the end. This are only temporary until the system reboots and get real OSPF routes. Make sure you differentiate between dynamic routes that will go away on reboot and real static routes that will be kept on reboot.
11. Reboot the READY firewall just to clear out the cobwebs.
12. Run the ospf script on the READY firewall. This will load all the OSPF and STATIC routes onto the firewall. NOTE: YOu will have to decide if you want to keep/delete the STATIC routes. You might have to SAVE CONFIG on the static routes if you want to keep them.
13. Do a netstat -an | wc -l and fw tab -t connections -s to metric the routes and states
14. Do a ‘cphaprob stat’ to get the IP and ‘number ID’ of the ACTIVE member.
15. Now on the READY member PULL the state table from the ACTIVE member.cphaprob stat   –
    Retrieve the cluster NUMBER and sync IP of the ACTIVE membercphacu start <Active Member IP> <Cluster member Number>  –
    So if active was 1.1.1.1 and number 2 in cluster:
    cphacu start 1.1.1.1 2
    Will pull the state table from the ACTIVE onto the READY member. This is like the OLD fcu command…but snazzier somehow.
16. Do a netstat and fw tab -t connections and make sure the numbers are about the same on both members
17. On the ACTIVE member – drum roll.
    cphaprob stop
18. On the DOWN member STOP the routing daemon because you don’t want it to fight with the new ACTIVE member. This is where the checkpoint cluster and routing teams never broke bread and coordinated cluster & routing activity and you have to do it manually.tellpm process:routed
19. The READY member will now go to ACTIVE
20. On ACTIVE member check out the state tables and network tables again. OSPF should be populating. Check the neighbor status to see if OSPF neighbors are negotiating. If not, they are stuck, then stop and restart. No worries you have static entries until you reboot.clish> show ospf neighbors
    clish> show route ospftellpm process:routed         ##### stop
    tellpm process:routed t        #### start
21. You are over the hump, congrats
22. Upgrade the OLD system
23. Copy fwkern from the standby if required
24. Reboot
25. Push policy to both members
26. Reboot both (to clear out static network entries and cobwebs)
27. Done

Modify firewall config without authentication – Recover admin password and much more

Yes I’m back from bumming around this summer and yes I had a great time knowing all you were working and paying taxes while I was playing on a beach and climbing in Finale Ligure Italy. Who’s the smart one now????

Meanwhile I spent the summer and lately studying for my Amazon Web Services cert. The Cloud and SDN is changing the world as we know it so you better get on the train….or apply at Walmart. $15/hour isn’t so bad.

So once upon a time Joe Bob decided to retire and forgot to give us all the passwords for our gateways. Fun time. Wish I would of known this little trick. How to recover a gateway admin and expert password without having to log in! Or DVD boot the machine on recovery disk.

WARNING: This could be really dangerous. You can execute almost ANY command on ALL your gateways raining death and destruction. Logging is minimal and tying it back to a human user to blame could be very tricky. I would only use this for emergencies.

1. Switch to the context of the involved Domain that manages your Security Gateway:

[Expert@HostName]# mdsenv <Domain_Name>

1. Generate hash for new password – run the following command and save the generated hash string. This will prompt you for password and give you back a hash.

[Expert@HostName]# /sbin/grub-md5-crypt

1. Ensure that the Clish database is unlocked on the remote Security Gateway:

[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c ‘set config-lock on override’

1. Change the admin user password:

[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c ‘set user admin password-hash <Password_Hash_from_Step_2>’ 

1. You can also change the Expert password:

[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c ‘set expert-password-hash <Password_Hash_from_Step_2>’

Be careful out there!

dreez

SDN – Part Vier

So I have hinted how firewalls integrate into this new world. Up to now, firewalls were just virtual guests and you have to use network routing to direct traffic to them…just you like you do in the real world. So you can take a stock off the shelf ISO image of a firewall and load it into VMware and have it monitor traffic with no modifications. I actually do it all the time with my labs. So what has changed???

[QUALIFICATION: I have little experience in R80 or how PA or others operate in a VMware environment. This is just my gather of thoughts from speaking with others, CPX, and reading documentation. So put a grain of salt on this discussion. As I gain experience I’ll update the blog]

So what is about to change is the integration between VMware and the SmartCenter database. Currently a firewall only knows other about other VM guests if a user creates an object and types in the IP address of that VMguest. So if I create 1000000000 VMguests I have to type them in by hand.

Well, in the new world SmartCenter will automatically keep track of the VMware objects through the REST interface. SmartCenter will poll vCenter (see, they even named them similarly) to keep track of what VMware objects exist. SmartCenter will put all the VMware objects into the DataCenter bin in SmartCenter. From the DataCenter bin, you can use them in rules and push the rules to the firewalls in Vmware.

(Question: If a VMware object is deleted, and you are using the object in a rulebase, does that mean the rulebase gets updated automatically???. Not sure.That would be bad.)

So we have this Borg Cube with 30,000 processors on it and tens of thousands of VMobjects. Let’s say we get R80 going and it just sucks in all 30,000++++ objects and puts them into the DataCenter bin. Wouldn’t that be a mess? And its only going to get worst as the virtual world grows. Imagine what the naming scheme looks like, it will be all over the map.

But I diverge…So let’s talk about why CheckPoint might have the edge in the virtual market.

[This is all by word of mouth, so make sure you ask your vendors. Email me if I’m right/wrong]

There is a Facade that the firewall vendors want you to see, and its based on a VMware restriction and not a vendor restriction. Once a firewall is integrated into the hypervisor, (currently it is CheckPoint, PA, Fortinet) it is like having a host based firewall in each virtual guest. Well The Reality is that you will have to run a (many??) separate firewalls as ‘special’ virtual guests and the hypervisor will direct traffic to that ‘special’ firewall and it will emulate being embedded into the individual virtual guest.

As I said, I have been told that this is a VMware restriction and not a firewall vendor restriction. I am not sure if this applies to the native VMware firewalls (basicallly IPchains, pretty primitive). But MAYBE, IF Vmware is actually embedded within each virtual guest, that is all you really need and not all the wizbang that commercial firewall vendors offer. Ask your vendor.

So what does this architecture mean:?

1. Hopefully the ‘special’ firewall(s) will be tuned to utilize CPUs for performance because they will need it if it is suppose to support a whole Borg Cube (CheckPoint SecureXL, CoreXL)
2. Unfortunately there will be a performance hit as traffic has to be shuttled to a separate ‘special’ virtual guest to be filtered. Perhaps in the short term it makes sense to virtualize environments that do not have a performance requirement.
3. Hopefully the management environment will be able to scale as Vmware environment scales (CheckPoint MDS – NOTE: R80 MDS details have not been released. Only SmartCenter. So not sure how VMware will integrate into R80 MDS.)
4. I am not sure how service chaining will work. Recall that in VMware you can create a rule that says ” HTTP traffic from vmguest A to vmguest B go through firewall C”
   
   in addition, I guess in R80 this can be dynamic so admins can isolate vmguest A as a ‘bad guest’, change it security tag, and require that its traffic be ‘filtered’ by a firewall. So I am not sure how service chaining will integrate into this architecture.

……

So I am here in Germany drinking a really nice  Weisbier, sunny, 6pm, my woman is cooking for me,  and I’m running out of things to rant on about. Maybe tommorrow, SDN can wait.

Play Time

Well, its that time of year again for my Hot German Babe – Gaby and myself to hit the road. 3 months of rock climbing NE USA and Europe while all the little people work and pay SSN taxes.

Little bummed because my SDN series is not finished and I feel its going to be a winner. BUT…I’m sure it will be there when I get back.

I’m sure the CP world will somehow continue without me…..

Dreez OUT!

SDN for Dummies – Part Drei

The fun is about to begin. Let’s look at a definition of SDN and some of the major components that make it unique.

Dreez Definition: Software Defined Networking (SDN): The ability to co-manage both the network and security components of a Cloud Infrastructure from a single centralized management platform through the use of automation (software scripting / orchestration).

I know…pretty deep….Let’s go through it one step at a time:

1. Co-Manage both network and security of a Cloud infrastructure from a single centralized management Platform SDN is a layer of software that gives its transparency. SDN allows virtual guests to float between physical platforms with neither the guest nor the end user knowing what physical platform it is on. SDN will merge network management with security management. You see that a bit now in vCenter Security Manager. So imagine in the future if you click on ‘Security’ and an MDS/Security Management Station pops up and all the VMware objects exist in that view.
2. Through the use of software scripting (orchestration)EVERY!!! SDN platform has APIs that enable scripting tools to do whatever you can do in the GUI. If there is an SDN that does not, then it is NOT SDN. What does this mean. Massive unemployment for most of you reading this.Think of what happens now if you have to move a subnet from Chicago to New York. The routing geeks have to touch several routers and switches one at a time. The firewall people have to redo their routing and rulesets on two firewalls. The Load Balancing people have work magic.In the future with SDN this subnet move will occur with scripts. One person will write and execute a script making this whole move happen transparently.

Security  and Network Tags

So what is the mechanism that keeps keeps the security world organized? The glue is called Security and Network Tags. Each virtual guest has a tags that contains security and network information such as policy, encryption keys, IP information. When you ‘orchestrate’ your virtual world and create policy and encryption keys for the guests, the information gets stuck into these tags. Now notice it doesn’t matter where these virtual guests are running…no one knows except VMware and the administrator. These tags are what I call the operation context of a virtual guest. They allow the guests to float between physical platforms and maintain their current state and environment.

VMware Security Groups

Now for the best part with regards to security. This next image is so innocuous but yet is the heart of SDN that will ravage networking as we know it and could be CheckPoint’s/Tufin’s strength if they could swing it politically. This will make most of you reading this unemployed boat anchors, Cisco routing geeks bankrupt, network gear makers bankrupt….I think you get the picture.

[ crickets….]

So in VMware you can gather hosts into security groups based on characteristics of the hosts – and not just IPv4 addresses. Not really a big deal, you can do that on almost any management platform. But in a virtual orchestrated world grouping is the glue that keeps the management station from self destructing exponentially. Imagine 10 scripting manics generating 10000000000’s of objects in seconds – and then they quit and you get a new batch of 20-year-old scripting maniacs, et al. After a couple days your management environment will be out of control. You HAVE to use groups to keep the virtual world manageable. Now in the future groups will also change and be enhanced to manage the scope creep. There will be tagging, labels, etc. just like you see in CheckPoint’s R80 and Google gmail. But in the end, there will be several forms of grouping. I know, I know….Doesn’t look so powerful does it? So this is the crux of my rant. Currently both network and security geeks provide separation (grouping) via subnets. Once we created a subnet, we then can create a firewall rule to protect it. Notice below that all firewall rules are based on networking.

Now I was never sure how a subnet alone prevents Himachi/HeartBleed/etc from spreading throughout your network, but that’s what we do because that is what we have always done since the dawn of time (aside: subnets only stop broadcast storms). Like lemmings walking off a cliff we are planning our future based on what we have done in the past. But I claim in the future we will provide separation based on SECURITY GROUPS. (and not networking). A DMZ Security Group will be made up of DMZ machines and NOT a subnet. Remember from my Part Eins rant about how networking will change and routing will become less important. Well this is another nail in the coffin. We won’t need routing because the world is becoming L2 Ethernet (no IP addresses) and security groups (no IP addresses) and so without IP addresses who needs routing? And if The Cloud is hosted on a big Borg Cube, why do we even need classic IPv4 networks to transfer packets, it might just be some combination of virtual guest UIDs (instead of IPv4 addresses) and distributed shared memory communication. For example, in the old old days an operating system called Multics all communications were performed via distributed shared files. Everything was a file, even networking.

Next Gen Firewalls

Now start thinking about NGF. Policy rules are based on USERs/Machines and Services. So the rule looks like:

• “John Adams” – Do you see any IP addresses? Does it have to be an IP address?
• HR – Is this a subnet or a group of people or a group of machines? In SDN – who cares? Could be UIDs.
• Facebook – Is this  a IPv4 port or a network protocol? In NGF it is a network protocol on ANY port

So even in NGF, you are starting to see the disappearance or the REQUIREMENT for IPv4 constructs.  People can be AD credentials, Facebook is a protocol not a port, HR could be a group of VMware objects imported from VMware and could be MAC addresses, could be UID’s or VMware security tabs created by NSX – Basically you don’t care what is underneath.

 Service Chaining/Traffic Steering.

Yet another nail in the Network coffin. In the virtual world, you don’t always depend upon IP routing to direct the flow of traffic. You can use Traffic Steering. Right now if packet X has IP 1.1.1.1 it will always go to router next hop 1.1.1.2.

In the virtual world, you can build rules that say “Traffic from Security Group X to Server Y, will always go through FirewallZ”. Do you see any IPv4 routing in that statement? What if FirewallZ is in Siberia on not on the direct subnet – doesn’t matter NSX will direct it to Siberia somehow.

TUNNELS

Notice that they are on the same subnet but in two different physical locations? How is this done? VXLAN!!!

VXLAN is the magic tunneling protocol SDN uses to make virtual guests float. In the physical world subnets usually are in 1 physical location (e.g. DMZ is physically located connected to firewall). With VXLAN tunneling, you can have virtual guests all over the world on the same subnet, so they can float and maintain their same network/operational context.

How does it work? Well in the above, you can see 4 virtual guests in different geographic locations all on the same subnet 1.1.1.X. NSX keeps track of where the subnet is by a VNID (Virtual Network ID). In this case it is VNID 12345. NSX uses VXLAN tunnels by encapulating VXLAN packets inside UDP port 4789 packets.

Now tunneling is not the most efficient way of transporting network packets. If you have 2 high bandwidth applications talking to each other over a 4000 mile encrypted tunnel, chances are there will be lots of latency. But technology moves on and in time network bandwidth will be almost as free as water so latency will scale. Historically it always has.

What will blow up????

Let’s review a couple things…

1. The CLOUD is not SDN and SDN is not The CLOUD. The Cloud is where virtual guests are floating through time and space not knowing or carrying what physical platform they are on. SDN is the underlying infrastructure that magically allows them to float…securely. In the above picture SDN is NSX in vmWare land and ACI in Cisco land.
2. SDN will change: In my definition in today’s technology ‘network infrastructure’ you might assume we will have routers, switches, IP addresses, load balancers, etc 25 years from now. WRONG. 25 years from now the ‘network infrastructure’ might be the backplane of an enormous gyrating Borg Cube with lights (aka ‘War Games’) with no network. All the virtual guests will be running in the Borg Cube and use distributed shared memory (vs. IPv4) to share data. Who knows? But those communication channels still exchange packets hence I use the term ‘network infrastructure’.
3. The Cloud  – 10 years out I am trying to decide what The Cloud will look like 10 years out. If we go the Google route with 1000000’s of generic Linux servers, then you have to transport packets between systems. If you pack it all into a gigantic Borg Cube, you’ll have a pica-sec latency backplane with oodle’s of terabit/second throughput….but you will be wedded to an evil OEM. I’m will guess a enterprise will buy multiple Borg Cubes for redundancy because they want to be able to call 1-800-xxx-xxxxx and scream at someone if it blows up.
4. Rapid Deployment – Rapid Destruction Kelman from CheckPoint’s quote. Scripts can deploy quickly and just as quickly destroy the whole environment. In addition you now have an even more concentrated group of employees with super uber admin privileges administrating the Borg Cube. One bad apple and your enterprise is gone.
5. Single Point of Failure – The Borg Cube – Any failure in SDN internals or Cloud management will bring down the whole Borg. You know how firewall clusters only fail over in the perfect world? Same thing here.
6. Orchestration – See Rapid Deployment Rapid Destruction
7. Staffing – Need to know networking, security, scripting.
8. Licensing – Will be interesting how licensing models will change. Currently licensing is based a lot on IP addresses. Also licensing is based on the physical world..deploying 400 firewalls is a big deal now but imagine deploying 1000000000’s of firewalls with scripts. In addition, retiring 400 firewalls takes years but now you can do it in a second. So what will licensing look like in this IP-less dynamic world? It is a nightmare now with many products.
9. Compliance – Remember application weenies want to just fire and forget. The CIO will want you to deploy a 600 server farm today and worry about security later. So how do you ensure that these dynamic environments maintain a security compliant profile? Not sure what products can adapt to this dynamic environment at this point.
10. Debug vs Deploy – Debugging will be a nightmare in this dynamic environment created by scripts. Have you ever debugged in a load balanced environment when packets are never following the same path? This will be even more fun with encrypted tunnels, floating guests, scripted deployments….
11. VMware security architecture issue – Rumor has it (I heard this through the grapevine, have not verified details) that VMware based firewalls (Palo, CheckPoint, etc) are not totally embedded within the hypervisor. When the hypervisor sees traffic that needs to be processed by a firewall, it forwards it to a virtual guest that is a firewall. So while the abstraction is that every virtual guest has a mini-firewall running inside of it, the reality is that there could be only 1 virtual guest firewall that manages security for all the virtual guests. So this means a Borg cube with 10000000 virtual guests might have 1 actual firewall managing security for 1000000 virtual guests.

    So when talking to vendors ask them explicitly how firewall processing works and how it differs from VMware native firewalls. I will too.

Summary

1. Classic IPv4 networking will go away away over time as network speeds, bandwidth, latency all improve. Will be replace by The Borg, UIDs, share file systems or similar.
2. Orchestration/Scripting/Automation will replace people, outsourcing
3. Security will be an afterthought…always is in new technology
4. Failures will be catastrophic and really cool to talk about over beers
5. If CheckPoint/Tufin play it right, their management framework could win in this virtual world. Ideal would be if VMware bought CheckPoint for their management environment  intellectual property.