The Layers of Internet (In)security



If Networking had layers, Security had depth. The layers in networking were meant to ensure separation of concerns, in a way that the layers above could make use of the layer immediately below it.

That allowed for a good divide and conquer strategy that has worked very well over the years. It is the foundation on which the apps people build can run over any access medium and be accessed by any device – it frees the app writer from the nuances of networking. Security is a broad topic – it can refer to being applied to endpoints, networks, or applications. But we will talk about (Inter)network security here. And for years, it has aspired to uplevel itself to do the application domain by trying to apply application access policies in the network. Just as networking is about layering, so also, security approaches have been about “defense in depth.” You get past one layer, and the next layer kicks in. To get to the crown jewels, you really need to breach all the layers in the so called cordons of security. In spite of this solid foundation for network and security, a lot has been left to chance.

TCP/IP has had a much cherished history. It won the data/voice/video carrier dominance war against the telecom/datacom world that had its own set of convergence protocols – X.25, Frame Relay, and ATM. The world had agreed that convergence was the way to go, and TCP/IP emerged as the victor. There were many good reasons why that happened. For one, the telecom world was plagued with bureaucracy in standardization and then in operationalizing it. The Internet world, on the other hand, was refreshingly democratic in how standardization worked through IETF. Freedom and liberty finally prevailed.

However, IP was born insecure, and that has caused a lot of heartburn. Internet culture was that of fun and frolic. Of enabling applications that were only imaginable in science fictions. It was not meant to become the backbone of the mission critical workloads that it is entrusted to carry these days. Its premise was to celebrate the network effect and the virality of connectedness. To bring the world together into a closely knit whole. So security kind of got left behind. If you think the world wide web came into form in 1989, the morris worm came even earlier – in 1988. It was trivial for hackers to cause havoc, and gain stardom as well as celebrity status. Hacking has changed over the years into the darker world of creating a marketplace for sensitive information and for blackmail, and even state warfare and espionage.

In response, Internet Security evolved in a rather haphazard manner. Every layer came up with its own paradigm, with MACsec at layer-2, IPsec at layer-3, and SSL/TLS at layer-4 leading to HTTPS at layer-7. The layers that secured networks itself came under attack by researchers and hackers alike, and even recently so. Only over several years, have they become hardened and fortified for prime time use. Network based signature matching (a.k.a. Deep Packet Inspection) represented the next big advance in security. However, it brought along its own sets of challenges. Deep Packet Inspection (DPI) blatantly violated the layers of networking. While the networking layers were an attempt to divide and conquer the problem of networking, DPI created a new layer that could deal with any app. There can be millions of apps out there, so creating a layer that could handle any app represented some kind of monolith or bloat that was trying to do everything at one place. Moreover, there was this challenge of being a man in the middle, and dealing with encrypted traffic.

Policy, which was the cross layer tie-in piece, has also left a lot to be desired. Even though you could create policies (or access control lists) that could cut across layers, there was a bigger disconnect in the policy paradigm itself. IP address was an alias for reachability, user, client, as well as geo-location, and hence ambiguous and hard to deal with. Port numbers, that represented applications, were very ephemeral and hard to track and keep up with. Now with containers and microservices, even IP address have become ephemeral with a extremely short lifetime.

Finally, coming back to security’s aspiration of creating depth in the defence, the current world of non-cooperating point solutions also falls short of the intended promise. Without a wholistic approach, the whole notion of defense in depth gets compromised. The right way to think about security is to first understand the context, and only then understand the threat vectors. And the right way to think about defense in depth is to build your next line of defense based on the threat characteristics of your previous line of defense.

16 views