“Deny All” Networking

by Sorell Slaymaker

Enterprises that are tired of being hacked or impacted by DDoS attacks, must move to a new network architecture.  One that denies forwarding any packet at the edge of the network, unless there is an explicit policy to allow it onto the network.  In this age of cloud, mobile/BYOD, IoT, and internetworking, users and applications are usually on separate networks.  There is no longer a hard parameter with a clear demarcation point within the private enterprise network and nothing within the enterprise can be trusted.

network perimeter

Deny All Networking (DAN) goes against the original objective of the Internet, which was to connect everything and have a default route if there was not a known path.  Enterprises, Network Service Providers (NSPs), and Cloud Service Providers (CSPs) spend 10’s of Billions of dollars putting in firewalls to control what packets can go where, with marginal success.  The fundamental problem with today’s architecture is packets are allowed onto a network and then at a network border, a security policy is applied to allow or deny it.

DAN is different than the Zero Trust Network (ZTN) architecture developed by John Kindervag of Forrester Research. The original ZTN architecture places security at the borders of the network and relies on firewalls and other very expensive network security products for enforcement.  These borders can be segments within an enterprise or cross domain networks. DAN proposed here places security at the very edge of networks and relies on cheap, stateful, session oriented routers that have layer 1-4 firewalling built in natively.

The foundational elements of Deny All Networking are:

  • Deny forwarding any packet at the ingress of the network unless there is an explicit policy to allow it onto the network. This means getting rid of layer 2 broadcast domains along with default routing in IP.  While layer 2 Ethernet is very popular for being fast, simple, and cheap, it is not natively secure.  IP routing and network intelligence must be pushed to the edge of the network, the distribution layer should be done away with, and the core of the network should be simple and fast.  A signaling mechanism should be used, like in our phone systems, to see if a session is allowed to be established, prior to establishing it.
  • Create a real-time security policy protocol. Unlike routers that automatically update each other via a routing protocol such as BGP, firewalls security policies are updated “out-of-band” through a centralized management platform.  A standardized security policy protocol would allow applications to dynamically create security trust levels and allocate them across the network in real-time.
  • Simplify with named addressing. Reading firewall and access control rules is a nightmare and involves mapping IP addresses and port numbers to servers and devices.  When applications traverse multiple networks, each with its own IP addressing schema, end-to-end security policy mapping gets lost.  Named IP addressing solves this problem.
  • Encrypt all traffic across the network. Check the application to see if encryption is occurring already, if not, encrypt the session. For highly secure applications, additional network encryption maybe required to hide the network flow meta-data.  While all traffic at rest is encrypted, encrypting all traffic in motion has been up to now, considered too expensive.  But as network routers move to all software and with Intel’s AES New Instructions, which accelerates encryption, the cost of network encryption and the performance hit is becoming minimal.
  • Authenticate all network devices and routes. Ethernet switches and wireless routers can be added to networks maliciously, or more often than not, by a naïve user wanting to bypass the standard IT process to get something done quickly.  Routers can also accept routes from un-authenticated sources.  Authentication should be done both hop-by-hop and end-to-end on the network.
  • Infinitely segment all traffic end-to-end, by application. The problem with micro segmentation strategies is that they usually are just within the data center and do not extend out to end points.  End points run on a single network segment, when they should be on multiple segments, defined by the application security requirements.  Each segment should be totally hidden from the other segments.
  • Detailed inspection of every session. Using automated application identification to properly classify all traffic regardless of protocols and ports used.  The best way to automatically identify applications is to understand the certificate flow, most commonly using Public Key Infrastructure (PKI). Logging, reporting, filtering, and analytics for every session that traverses the network, including those packets that are denied access to the network.
  • Least privilege access control. Using both application and user/device ID and assign the least network access privileges.  Multiple management domains can be defined in a hierarchal fashion.  Treat all users and applications with the same strict security policies
  • Very cost effective. Large cloud providers are spending less on networking equipment as the go with software and open source solutions running on commodity hardware.  The problem is that the TCO is going up because expensive firewalls are being placed everywhere to provide micro-segmentation.  The firewall rule on allowing a packet and session onto a network should be done on the very edge of the network, so this means very cost effective edge security.
  • Hierarchal Security Policies – Access Control Lists (ACLs) govern the security from one network segment to another segment. The challenge with ACLs is that they grow exponentially as the number of segments and applications expand.  Firewalls implement ACLs as flat global tables with no application specific context.  ACL “hell” can be avoided with hierarchal policies that take advantage of named addressing and an automated security policy routing protocol as mentioned above.

With threats from exponentially increasing end-points coming from IoT and BYOD which are commonly on networks outside of the core enterprise network, the levels of threats are also growing exponentially.   DAN is more than segmenting servers and applications, it is end-to-end, dynamic, includes all end devices, and starts at the very edge of the network.

The first rule in a firewall is to “Deny All” traffic, then have specific policies on what to allow through.  Deny All Networking is taking this concept, and applying it to the routed IP network at the very edge of all networks.  The recent DDoS attack against DYN that shut down large parts of the Internet DNS service is an example of how the Internet is broken and why a new network architecture is needed.