Data center security: The need to secure intra-data center traffic By and large, security inside data centers is based on what CAN be done, rather than what SHOULD be done in order to stop an attacker.

August 12, 2014

Since most enterprise sensitive data and business critical applications reside in organizations’ data center, it has become a prime target for attacks.

Data Center Security tools to date have primarily focused on blocking attacks from entering the data center. Security tools are primarily deployed to fend off threats from entering the data center from the perimeter, physically and via IT personnel personal computers. However, it is widely recognized that despite all tools deployed to fend off attacks, attackers’ sophistication is growing and attacks do find their way into the data center. Human errors, security misconfigurations, spear phishing, drive by downloads, and sophisticated tampered hardware infiltration only represent a short list of possible attack vectors. Evidently existing security tools focusing on blocking the attack from its initial access to the data center are not enough.

Furthermore, enterprise application architectures are changing in a way that somewhat questions the effectiveness of existing data center defense. One of the key reasons is that applications are more distributed and more traffic is flowing throughout the datacenter, hence not all threats even flow through existing security tools due to the inability to scale these throughout the data center internal network.

Some of the high-profile data center infiltration cases include RSA & Lockheed, Google, Yahoo and Huawei, but everyone, as demonstrated by Verizon 2013 Data Breach Investigations Report, is a target.

Internal Security of the data center is missing.

Soft Inside

Once an attacker gains access and control over data center assets, it is typically “game over”, as security tools inside data centers are scarce and limited, and mostly incapable of detecting and mitigating attack or malware propagation. This is rather unfortunate, considering the critical data and business processes in the data center, and the potential harm from theft, tampering or disabling of data center assets.

According to a report by security firm Mandiant, it takes on average 243 days to detect such a breach, and most of the times, they are detected outside the attacked organization. The evident conclusion is the need for effective tools to detect and mitigate cyber-attacks once the attacker gains access and control over datacenter assets.

Only Basic Network Security

Recent architectural changes in data centers have led to an explosion of intra-data center traffic, including traffic that crosses the physical network horizontally (“east-west”), which is in many cases two to three orders of magnitude larger than the traffic getting in and out of the data center (“north-south”). When multiple pairs of virtual machines communicate at rates of Gigabits per second, it is practically impossible to apply context aware security controls such as IDS, IPS, sandboxing, deep packet inspection, and threat emulation to effectively secure this traffic.

By and large, security inside data centers is based on what CAN be done, rather than what SHOULD be done in order to stop an attacker.

Basic stateful firewalls and statistical network behavior analysis are usually the only network security controls used today inside data centers. While firewalls are an important building block of network security, by themselves they cannot stop a sophisticated attacker, nor can they stop an automatic malware (bot) from spreading in the data center. Statistical behavioral analysis tools cannot pick up abnormal traffic that operates beyond the threshold.

A new approach

SDN is an opportunity to introduce advanced security controls and capabilities into the data center network in a way that can scale to the demands of a large data centers and offer a dynamic and pro-active security control framework, detecting and mitigating an attack at an early stage. Using these principles, GuardiCore offers a security platform, targeting the detection and prevention of attack techniques used by hackers in the propagation and control phases of the attack’s ‘kill-chain’ inside data centers.