Yesterday we announced the integration between Bromium LAVA and the Palo Alto Networks security platform. This is a perfect example of how Client SDN can transform enterprise networks into an agile, responsive, secure environment – and as profoundly important as server-side SDN. The enterprise will own only part of its cloud, but the vast majority of any enterprise network will remain end-user facing.
Thus far I have described how the Client SDN – a client-side analog of the cloud-side SDN that runs the network services used by micro-VMs on a micro-virtualized end point – dramatically enhances both protection and privacy by ensuring that every hardware-isolated task is entirely independent of all other tasks, and the desktop itself, in terms of its access to network(s) and sites. Untrusted sites/docs/apps cannot gain access to the Intranet or to SaaS sites of value. Tasks accessing high value sites can only communicate with those high value sites (and, if desired, a clique of their trusted partners) but have no access to the Internet at large, or to the Intranet. Intranet applications can be restricted to only ever have access to the Intranet – preventing data leakage. And no site/doc or detachable/mountable storage need ever be trusted.
In this post I want to show how Client SDN enables the whole enterprise network to become agile –automatically re-configuring the fabric in real-time to block C&C servers and interdict malware in response to new, targeted attacks – for which traditional signatures may never arrive.
Micro-virtualization is protection-centric. It makes an end point vastly more secure by relying on the CPU to do the hard job of isolation. This, in turn, transforms the enterprise’s ability to respond: Micro-VM Introspection permits the Microvisor wait until malware actually attacks the hardware isolated task, because the system is protected. This eliminates false alarms. Moreover the Microvisor maintains a hidden task “black box recorder” that records the entire kill chain and the malware itself, every DNS query, every IP flow between the task and 3rd party sites/servers, as well as the malware payload. Every micro-virtualized end point therefore becomes a sensor that can deliver precise, real-time forensic detail for each attack that executes in a hardware isolated micro-VM.
Precise, real-time alerts from each attacked end point can be immediately delivered to the SOC. Crucially, by adopting an open format such as STIX, these alerts can be immediately used to re-configure the network infrastructure to respond to an attack: C&C IP addresses can be immediately blocked at the firewall. In the presence of a next-gen network protection infrastructure, the malware fingerprint and origin site (IP or URL) can be used to prevent other users from falling prey to the same attack. My point here is that it is possible to entirely automate the enterprise network’s response to malware that is directed at it – even malware uniquely fashioned for it, for which signatures may never be available.
The future of the enterprise network is agile – as agile for end users as it is for the data center. Client SDN is a crucial building block for a defensible enterprise network. It keeps bad stuff outside the network, and when an endpoint is attacked it contributes, in real time, precise detail that allows smart network infrastructure elements to dynamically react, to protect the enterprise as a whole.