I'm worried about the future. Not so much about an apocalypse-inducing asteroid, or even a civilization stunting setback like the grid being offline for a month, but something more technical, more exasperating. As a network engineer, I'm worried that the future of the Internet of Things (IoT), plus programmable networks -- or SDN automation -- will mean more headaches, bigger accidents and even fewer restful weekends.
For IoT to work, we'll have to turn our network security strategies upside down. Today's networks are unapologetically skeptical, even hostile..
Generally, I'm the first to be excited by new technologies, but there are some significant gaps in SDN we must fill before rushing headlong into automating even more engineers out of IT departments. It's not enough to say these gaps are SDN security related, because it's more than that. SDN is at present fundamentally flawed by a preoccupation with features at the cost of critical security capability.
IoT requires automated network security
For IoT to work, we'll have to turn our network security strategies upside down. Today's networks are unapologetically skeptical, even hostile. If someone wants bandwidth, if they intend to pass traffic, we place the burden on proof-of-policy compliance that involves the device, the user, or a contextual combination of the two. If we define an endpoint as a person/process, plus context, plus device, we find that we put enough hoops in place that it's relatively expensive for endpoints to add themselves to a network of their choosing. Today endpoints need sponsors.
However, IoT networks will need to welcome and even actively assist endpoint connections. Successful networks will compete for connections and find methods to monetize the endpoint-network relationship. That requires SDN that is based on automating the existing security model. But that's a difficult task to take on with ramifications that will be difficult to fix down the road.
IoT and the disposable endpoint culture
To see where IoT is headed, you must look past thermostats, factory floor devices and light switches. Those are all simply legacy devices in traditional roles and connected to the Internet. Imagine instead a world of disposable endpoints, scattered like grains of sand. Think $5 Internet-connected LED binky-wands at a concert that coordinate and synchronize by IP to turn the crowd into a giant, human Jumbotron.
These devices won't be made by Apple, Samsung or Microsoft; they won't run iOS, Android or Windows Mobile. They'll be made wholesale by offshore generic manufacturers, ordered by the shipping container-full. They won't care about security patches or perhaps security at all for that matter. How many manufacturers of USB devices are there today? Hundreds? Imagine all of them cranking out Internet things to use and then throw away. How will our networks cope with endpoints that aren't updatable by design?
The cloud in every mote
Twenty years ago we thought the future was super smart autonomous nodes and grids. Now we see it as ever cheaper devices connected to Google, Facebook and other cloud and SaaS services. Even the dumbest devices now harness the essentially limitless power of enormous data centers. This adds an entirely new security risk for enterprise networks.
We already have Shazam encouraging users to enable the app's always-on mode. Where does all that audio go? What about Google or Siri voice search clips? And these are today's apps. With Google Glass on the horizon, we'll soon see an explosion of wearable tech transmitting information in ways we can't imagine. And our shiny new SDN-driven networks will welcome them with open arms because they'll have to -- otherwise IoT won't get off the ground.
We can't wait for automated SDN security
More on networking for the Internet of Things
Seven enterprise risks to consider in the Internet of Things
Internet of Things and network pressures
The deluge of destruction … from the Internet of Things
When tens of millions or even tens of billions of new endpoints pop onto our networks, through guest SSID or otherwise, they'll all look the same: HTTP:80/HTTPS:443 -- just like any Web browser. There won't be time for admins to notice misbehaving endpoints and ACL them out; neither will they be able to track hundreds of vendors against vulnerability databases.
The network itself will have to constantly recalculate virtual endpoint trust credit scores based on behavior. It will have to identify thousands or even millions of devices by their traffic fingerprints alone and do deep packet inspection at volumes never before possible. It must be circumspect yet open -- self-healing, in fact. It must prioritize alerts for human intervention based on weighted risk assessments.
SDN will have to accomplish all of this while simultaneously defining and implementing a new security paradigm, achieving problem assessment abilities and processing orders of magnitude more traffic beyond the human admins it will replace. And that prospect, aggravated by a "we'll do security later" attitude, is worrisome indeed.
About the author:
Patrick Hubbard is a head geek and senior technical-product marketing manager at SolarWinds. With 20 years of technical expertise and IT customer perspective, his networking management experience includes work with campus, data center, storage networks, VoIP and virtualization, with a focus on application and service delivery in both Fortune 500 companies and startups in the high tech, transportation, financial services and telecom industries. He can be reached at Patrick.Hubbard@solarwinds.com.
Dig Deeper on SDN security applications
Patrick Hubbard asks:
Do the right security tools exist to tackle SDN automation and the Internet of Things?
0 ResponsesJoin the Discussion