A. Joseph Dupre III
Technical Product Manager

SDN Needs Continuous Lateral Threat Propagation Prevention Robustness Testing

August 8, 2016 by A. Joseph Dupre III

Traditional and next-generation workloads are transitioning to the cloud at an increasing pace. In addition to the economy of scale that is afforded by the virtual infrastructure, there are traditional security concerns associated with identified vulnerabilities in these workloads and the challenges required to secure cloud environments. Software defined networks (SDNs) take important steps towards isolating tenant workloads from other tenants through network segmentation and applying access policies between virtual network functions (VNF) and their associated virtual machines (VM).

Lateral threat propagation is a targeted attack for achieving lateral movement within data centers that takes advantage of an exploit within one application layer to derive access to another application layer. An example would be the case where a web server is compromised and used to inject malicious code to gain root access to an application server. Next, the root access is used to access customer data from a connected database server.


Figure 1. Lateral threat propagation in the data center (source: Palo Alto Networks)

Three levels of application protection need to be implemented within the SDN comprising the data center to enable micro segmentation of the application tiers.

  • First, SDNs provide default isolation protection through the use of overlay technologies like VXLAN and NVGRE by ensuring that no communication is possible between networks that should not have connectivity. In the example, direct connectivity is prohibited between web and database tiers.
  • Second, stateful firewalls are introduced between directly connected application tiers to provide segmentation protection through the use of policy-based security applied to ports, protocols, and VMs to make filtering decisions. In the example, stateful firewall filtering is conducted between web and application tiers as well as between application and database tiers.
  • Third, next generation firewalls (NGFW) are deployed dynamically to provide advanced threat protection across application tiers by inspecting the traffic content for threats and malware.


Figure 2. Lateral threat protection in the data center (Source: Palo Alto Networks)

Just as there is a need for intelligent NGFWs and similar technologies in the physical network, the base capabilities of SDNs need to be enhanced beyond network segmentation and access control to a wide range of threat detection and prevention techniques, and correspondingly verified through repeatable test methodologies.

It seems that each month new software or networking vulnerabilities and exploits are uncovered in both new and legacy infrastructures. These weaknesses can be attacked in one VNF or VM and be used to attack additional portions of the infrastructure or the tenants that use the services.

Attacks can be sourced from virtual clients or from virtual servers. As virtual desktop infrastructure (VDI) drives the move of more and more clients to the cloud, and VNF drives more and more services to the cloud, the level of east-west traffic (client-to-server or server-to-server) within the data center is expected to continue its staggering growth.


Figure 3. Lateral threats combined into an east-west traffic strike list in Ixia BreakingPoint VE

Elasticity in the datacenter means that one attack surface can quickly become thousands, particularly as workloads try to scale up in response to perceived valid requests, which in reality can be part of a distributed denial of service (DDoS) attack.

The only way to stay vigilant against the threat of old and new vulnerabilities and exploits propagating through the SDN is to ensure that next-generation threat detection and prevention devices are layered as NFVs onto the SDN and regularly exercised through continuous testing using a proven industry test tool—one that can be easily inserted into the tool chain. The test tool must be capable of generating realistic traffic with threats, both current and past exploits, as well as the multitude of variations on an attack that can be used.


Figure 4. Successful execution of Ixia BreakingPoint VE security test with prevention of threat propagation

Ixia and Palo Alto Networks have partnered this year to demonstrate next-generation security for VMware-NSX-enabled software-defined datacenters (SDDC). Ixia’s BreakingPoint VE (Virtual Edition) enables the emulation of advanced lateral threat propagation. Palo Alto Networks VM-Series virtual next-generation firewall in conjunction with VMware NSX enables the successful prevention of lateral threat propagation. This joint integration proves the effectiveness of advanced security controls in preventing a variety of server-to-server threat vectors that can be propagated within the virtualized data center.