We live in a scary world. Security attacks are becoming more complex and cross multiple technologies. Attackers are becoming smarter, more tech-savvy, and increasingly state-sponsored. Business critical applications and infrastructure are constantly being probed for vulnerabilities by both the good guys and the bad ones. We are told that we need to keep our pulse on the latest security vulnerabilities in order to fix them quickly. However, as network operators, we know the reality – fixing security vulnerabilities quickly and across a fleet of network devices is rarely possible. Which is why the 31 security vulnerabilities Cisco has just announced, some of which have already been exploited in the wild, is that much more frightening.
For as far back as I can recall, devices from network vendors have been given a pass when it comes to meeting internal security policy. The rationale has been that these closed, tightly integrated pieces of equipment were synonymous with hardened – but this is far from the case. When security vulnerabilities are found, the fixes require a new monolithic image to be delivered from vendors. At best this takes months and at worst never to test, verify and roll-out these fixes. In the meantime, it leaves a gaping security hole in the infrastructure. All application data moves across network infrastructure. If this infrastructure is compromised an attacker has the ability, redirect, block or capture this information.
In this most recent exploit dubbed “Sea Turtle”, DNS was hijacked and used by attackers to create man-in-the-middle attacks to critical infrastructure components. They leveraged the exploits in Cisco’s IOS and IOS-XE to gain unauthenticated access and were able to reload the affected devices and remotely execute code with elevated privileges. The fix for these issues? A new monolithic image, which again needs months (or longer) to be tested, verified and manually rolled out, both with the fix AND other changes that could impact how the device functions in the environment.
The way in which we run network infrastructure is broken. The ability to update, and resolve security vulnerabilities is a modern fact of running infrastructure. This is something that is not possible with legacy networks. We have viewed this infrastructure as static, siloed and brittle. This starts with a failure in how Network Operating System’s have been architected. SnapRoute’s CN-NOS takes a different approach to solving this problem. CN-NOS is a set of containerized microservices, managed by Kubernetes. With CN-NOS you can upgrade or immutably replace network applications with no or minimal impact in seconds compared to months. Security vulnerabilities on network equipment, while still scary, are no longer the Trojan horse they are today.Download