Multi-layer Network Security Architecture
This month is the last of four installments on multi-layer network architectures. We talked about the need for satellite, fiber and wireless network architectures to include all layers in its designs. When they are integrated together to form one Internet, issues on internetworking appear at all layers including the Application Layer. All the more critical are network architectures with coherent multi-layer designs. This last piece addresses network security and resiliency and the need for a multi-layer approach to an effective design.
As a design principle, the key attribute to an effective network security and resilient architecture is made up of overlapping, redundant, layered (not in the sense of network layers but “wrapped-in-layers”), pervasive, rapidly updated defenses and perhaps offense.
Most commercial network security defenses are software based in the Application Layer and sometimes in the Network Layer (for operators). The classical (obsolete by now) cyber defense is one of perimeter defense: blocking exits and entrances from ‘bad’ sites, and blocking known malware using signatures and indicators.
Modern security systems use a continuous assessment posture for traffic analysis, kernel integrity testing, anomaly detection, fuzzing, zero-day attack detection and behavior monitoring, etc. However, these techniques thus far have been confined to the Routing, Transport and Application Layers (in rare instances the MAC Layer is also monitored).
Future techniques will include sensing at the sources of attacks in conjunction with decisions and predictions at speeds for reaction, isolation, reconfiguration and reconstitution. These techniques will use monitoring at all layers, especially at the physical point of attacks, and the use of a new generation of AI/ML that is both safe and possibly explainable. The final defense can be an offense on any of the layers of the network at the attack origins.
The concept of an information system perimeter was difficult to maintain even a decade ago. Mobility, bring your own device policies, and shared cloud architectures have further eroded the concept of an organizational perimeter. This erosion of the perimeter at the Physical Layer or higher layers (Routing and Transport Layers) will continue into the foreseeable future and has already been proven woefully inadequate in recent years. One example that is decades long is that of jamming of the RF Physical Layer of wireless and satellite communication systems. With the advent of data networking, the use of typical Internet protocols such as TCP/IP have unveiled the issue of a multiplier effects in the Transport Layer if TCP is used. Thus, Physical Layer jamming effectiveness is magnified 100-1000 fold due to induced TCP reactions of window closing and slow starts, severely compromising throughput. The sensing-localization of the exact attack is not possible at the Transport Layer and thus Physical Layer monitoring is necessary. Similar effects can be induced in optical networks where induced impairments in the Physical Layer will show up as severe performance degradation in the upper layers.
When a network suffers performance impairment, it is hard if the observable is not at the layer of the attack surface. Thus TCP window closing may be interpreted wrongly as congestion or fading in the Physical Layer rather than an intentional interference of the physical channel. A well-engineered network management control system should have visibility into all layers of the network. Cross-layer network attacks and impairments have been under reported and analyzed. Many subtle attacks elude observation, and most network management and control systems are not designed or instrumented for comprehensive sensing and assessments, let alone judiciously use active probing to reduce uncertainties and confirmation of impaired network states. As a design example, in the diagram below depicting some of the elements of a secure network architecture, GPUs (graphic processing units – physical layer hardware) are added to provide real time streaming analysis of the traffic at Layer 3, the Routing Layer and/or Layer 4, the Transport Layer and packet payload inspection at the Application Layer. HPC and cloud will be used for network security and information assurance monitoring, decision making and remediation. The hardest part will be upon observing performance impairments at the Application Layer, how can the network reach to the right attack surface for remediation automatically. This calls for an integrated view of all the layers and command and control orchestrated by some security entity centralized, or better yet distributed.
The following are some necessary information assurance architecture constructs:
- Understanding, deriving insight and decision support for information assurance such as attacked and compromised asset detection.
- Isolate fault and compromised assets.
- Reconstitution of network functions using healthy fragments.
- Cognitive steering of link state data flow maintaining network state data base coherence and persistence, but minimizing data motion to lower network communication burden.
- Implementation of distributed control at the appropriate layer/s for resilience.
Ultimately, the bottom line performance metric is: ‘can the network transfer messages/files within the time deadline?’ With the wealth of attack surfaces in all layers, some fraction of any future network should be expected to be compromised. The imperative is that the architecture will automatically find and use the remaining intact components to provide reliable network services. These can be hardware components in the Physical Layer or processes in the upper layers. The control plane should possess an overall view of all layers of the network including applications at the end-point devices. Indeed, the vision of a Byzantine robust network1 was an abstract idea at its inception in 1988, but it has become much more relevant today.