IPv6 Security Demands Automation
The increased complexity of IPv6 deployments and other next-gen network issues demands automation and orchestration. Here's why.
Here at Enterprise Networking Planet, we've devoted plenty of space to talking about how virtualization, the cloud, and software defined networking demand high levels of automation and orchestration. Those aren't the only factors affecting the network of the future, however. The slow but sure growth of IPv6 adoption worldwide will present new security challenges. As in other areas of the next-generation network, automation and orchestration can help solve those challenges, according to Reuven Harrison, co-founder and CTO of network security company Tufin.
Automation and orchestration to address IPv6 security challenges
The 128-bit addressing space that IPv6 provides "adds a huge amount of complexity to an already very complex network environment," Harrison said, adding ominously that "the hacker's best friend is complexity." That complexity, he explained, creates an ever-greater chance of vulnerabilities that can be exploited.
It doesn't stop there, either. The dual-stack configuration that allows machines to have simultaneous IPv4 and IPv6 addresses on the same interface only adds to the mess, and given the slowness of IPv6 adoption thus far, "that's probably going to be around for a long time," Harrison said. Now add in the very real possibility of human error. The length of the IPv6 address—so long that "most normal people cannot memorize it," Harrison pointed out—makes mistakes in transcription and copying likely.
What all these factors add up to is a significant number of Things That Can Go Wrong, from security vulnerabilities to device misconfiguration. That's where Tufin comes in, Harrison said. The three elements of the Tufin Security Suite— Tufin SecureTrack, Tufin SecureChange, and Tufin SecureApp—work in concert to automate network security configurations. SecureTrack, the lowest layer of the trio and the layer closest to the network, monitors the network, specifically its firewalls, routers, switches, and load balancers, using real-time configuration information "to build a logical model of the network," he said.
Tufin's software, the Cent OS-based Tufin OS, knows how to read IPv6 configurations from the firewalls and routers that the vendor's solution manages. That knowledge allows the software to incorporate IPv6 into its overall network model and can thus provide IPv6 support.
"So our system's basically been through the entire network. It understands for each, let's say, pair of addresses in the network, whether they're IPv4 or IPv6, whether they're connected, or whether a connection can be created theoretically, based on the routing, NAT, and security policies in place," Harrison explained. Using that model of the network, the solution can then build its change automation systems.
It isn't all about automation, however, as Harrison was careful to clarify. The word he prefers is orchestration, implying a level of intelligence around the automation, so that "it's not just a robot that goes and does things blindly," he said. That orchestration can draw on input from various silos: "People from network engineering, applications guys, and security people can all use our system to automate connectivity change requests," and, once implemented, the solution knows when to escalate automated tasks to human beings in case a need for human review arises, or other ambiguities appear.
Cloud and SDN
Tufin is now looking ahead to cloud and SDN concerns. According to Harrison, the company's solution, like other security solutions, "will be the last type to move to the cloud because of the sensitivity of the information that we manage." Most Tufin deployments currently run on dedicated appliances on-premises. The company does have multi-domain support and scalability to support virtual and cloud environments, however, and is therefore ready for the cloud, he added.
The same goes for software defined networks. "Our system is perfect for SDN, because we can take RESTful APIs and convert those API requests into command lines to run automatically on the devices we manage," Harrison said.
Tufin's road ahead looks promising. Launched in 2005 by Harrison and Ruvi Kitov, who both came from Check Point backgrounds, the company now partners with Cisco, F5 Networks, McAfee, Palo Alto Networks, Fortinet, Juniper, and Check Point, among others, for support of "all the enterprise firewalls, plus routers and load balancers," Harrison said. The channel-based vendor has over 200 resellers and distributors worldwide.
Moving forward, the company plans to focus on positioning the company around automation and orchestration to support IPv6, virtualization, cloud, and SDN.
"Security people are rightly concerned about automation because they can lose control," Harrison said. The orchestration piece of the Tufin puzzle may help ensure that those fears don't come true.
Jude Chao is executive editor of Enterprise Networking Planet. Follow her on Twitter @judechao.