Every so often, I hit a patch where I will run across a flurry of technologies worthy of mention in this column. Here are two that recently caught my eye: The first involves cryptography for two-factor network authentication; the second involves the “virtualization” of computing and storage resources. Let’s take a closer look:
Easier Authentication
Hopefully, by now, most of you are using two-factor authentication for your apps and access to critical accounts. It is now common to receive a code by text or email, which combines the authentication factor of “Something You Have” (phone or PC) with a password (“Something You Know”) – the other factor being “Something You Are” (typically a biometric).
What are you doing to protect your login process? Although it has been available for a while, I recently investigated and purchased a YubiKey 4 from Yubico, which is a USB key that is inserted into a computer that a user taps when prompted by the application.
First, a little terminology: U2F is an emerging standard for physical authentication tokens. A U2F USB key is a device inserted into a computer that automatically generates and fills in a special code when activated by touch – Yubico is such a key.
FIDO is a set of protocols designed to reduce the sole reliance on passwords for authentication. According to the FIDO Alliance (http://fidoalliance.org), “FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.”
The FIDO2 project is a set of initiatives to provide FIDO authentication for the web, including a standard API – WebAuthN – to enable the embedding of this functionality in web-based services. WebAuthN may replace traditional passwords, and a USB key can provide the second authentication factor.
Reduced reliance on passwords can help protect against phishing, man-in-the-middle and replay attacks using stolen passwords.
With the YubiKey 4 (available for $40 on Amazon), a user touches it to trigger FIDO2, WebAuthN, U2F, smart card (PIV), challenge-response, or other authentication methods. It works with Windows and Mac login, gmail, GitHub, Dropbox, Dashlane, LastPass, Facebook, Salesforce and other services. I use it with LastPass, cou0pled with the LastPass Authenticator app on my iPhone. The instructions for set-up were easy to follow.
Network Virtualization
My good friend and former ex-collaborator at Cisco, Fernando Macias of VMWare, recently made me aware of the VMware NSX Data Center, which provides network and network security entirely in software – abstracted from and regardless of the underlying physical infrastructure. As most professionals know, VMware pioneered the virtualization of computing and storage resources.
NSX is the next logical step. “Most IT security efforts focus on North-South traffic – traffic coming in through the perimeter from the outside; however, a big gap exists in multi-application environments once an intruder has gained access to the network,” Macias explains. “Then, you worry about the escalation of privileges and movement from application to application, which we call East-West traffic.”
Deploying firewalls throughout the network is costly and time consuming, and it is extremely difficult to effectively scale and reconfigure to meet changing needs. Stricter, more granular, security is needed, with the ability to tie security to individual workloads and to provision policies automatically. Using a concept called “microsegmentation,” NSX enables fine‐grained network controls for unit‐level trust and flexible security policies that can be applied to network interfaces for individual workloads. It ties security policies directly to an application.
Most IT departments rely on VLANs and subnets to partition their applications logically; however, they are often overly complex and easy to misconfigure. Access control to the sub-network may be inadequate and network changes can be challenging – leading to inadequate security and application provisioning delays. This is all part of the larger picture of virtualization.
Rather than terming this Software-defined networks, VMware terms it Software-defined Data Center (SDDC), recognizing the co-habitation of multiple applications along with the required network infrastructure in virtual environments. It uses the principle of VXLAN (Virtual Extensible LAN) protocol to provision a virtual overlay network. This is a virtual network that is built on top of existing network Layer 2 and Layer 3 technologies – i.e. existing switches and routers – to support flexible and scalable network architectures. Network virtualization technology is hardware agnostic and decouples network services from underlying hardware.
Think of this as a software-defined “super network” sitting above various existing networks with the ability to tie pieces of these together, without a limitation of physical location (think enterprise networks).
Enhanced switching, routing, firewalling and load balancing is provisioned in software. Network and security services in software are distributed to hypervisors virtual machine (VM) managers, such as VMware, and “attached” to individual VMs in accordance with networking and security policies defined for each application.
When a VM is moved to another physical host, its networking and security services move with it, and security policies can be extended to new VM’s provisioned for new applications. Network virtualization creates, provisions, and manages virtual networks, utilizing the underlying physical network as a simple packet forwarding backplane. Communication within a virtual network never leaves the virtual environment. Further, network configurations can be replicated across multiple clouds for resiliency.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and the CONSULT Technical Security Symposium. Email him at [email protected], or contact him through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter: @RayCoulombe.
