Internet-Draft Securing hybrid network - criteria March 2024
OIWA Expires 21 September 2024 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-oiwa-secure-hybrid-network-00
Published:
Intended Status:
Informational
Expires:
Author:
Y. OIWA
AIST Japan

Securing hybrid network - criteria

Abstract

This document analyzes current issues for ensuring and monitoring the security status of the network used under complex network environment such as hybrid cloud or mixed cloud settings.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 September 2024.

Table of Contents

1. Introduction

Recently, virtualized resources such as cloud computing infrastructure rapidly replace traditional types of network/computing environment such as local servers or on-premise computer clusters. In such kind of infrastructure, information of physical resources such as servers, local network, network routers, etc. are hidden from users in trade with flexibility, service redundancy and costs as well. Cryptographic communications such as TLS, IPsec etc. are typically used to protect communication into/out of such systems from eavesdropping and tampering.

However, there are many use cases where service still depends on the security nature of underlying physical resources, instead of just encrypting the communication:

For such high-security applications, we need some technical infrastructure for continuously checking the properties and statuses of underlying network and intermediate nodes. In non-virtualized, self-managed setting, tHere are several existing technologies (e.g. NETCONF, path validation, etc.) for acquiring such statuses. However, these are not enough for virtualized, multi-stake-holder setting of modern cloud infrastructure.

This document gives a first-stage problem analysis for ensuring and monitoring the security status of the network used under complex network environment such as hybrid cloud or mixed cloud settings. It also proposes a brief, straw-man view on the enabling architecture for possible monitoring systems.

1.1. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Background

2.1. Multi-cloud and hybrid cloud systems

Concepts of multi-cloud and hybrid clouds are defined in ISO/IEC 5140:2024; in short, multi-cloud is a system where a single service is implemented using two-or-more independently-operated cloud services. Hybrid cloud system composes two or more computation environments having different nature of operation, security level or other aspects, at least one of which is typically a public cloud service. Often, subsystems on privately-operated cloud, on-premise, or edge networks are connected with public cloud infrastructure by network to construct a single hybrid cloud system.

Hybrid cloud systems are, in general, constructed when the security or other provisions of public cloud systems are not sufficient for a part of information or a subsystem component (if not, a simple public or multi cloud environment is sufficient). At the same time, there are often a requirement where some benefits (scalability, costs, resilience, maintainability etc.) of public cloud systems are beneficial (if not, simple on-premise deployment is enough). This mixed, seemingly conflicting requirements makes it difficult to ensure the monitoring of security for the hybrid cloud systems.

2.2. Security implications of hybrid clouds

Multi-cloud and hybrid cloud systems require system-internal communications flowing beyond the boundary of single cloud systems. In a simplest case, it can be implemented using authenticated TLS or HTTPS communications via public Internet infrastructure. For high-security systems, it is often implemented using dedicated channels of communications, such as VPNs, private peering, or even a dedicated optical fiber channels. To maintain the security of whole systems, monitoring integrity of such dedicated channels is mandatory.

Furthermore, with IP-based software systems, there are lot more dependency to ensure such secure communications. In other words, there are a lot more surfaces for attacks. For example, if a DNS recored is either tampered or misconfigured, a communication intended to go through a secure channel might be routed to public channels. If there is a misconfiguration for routing, the traffic might go public. Enumerating and collecting status of such dependency are undermined currently.

3. Problem statement

There are a lot of technology already available and useful for such purposes.

However, to ensure the security of the whole hybrid cloud infrastructure, we still have to address the following aspects, which seems to be lacking solutions currently.

3.1. The nature of multiple operators/stakeholders

Hybrid cloud systems depends on a lot of resources which are not under control of the application system operators. Needless to say, public clouds (both IaaS and SaaS) are operated by external service providers. They have their own policy for their operations, and they have their own decisions for maintaining or replacing any of the providing hardware/software resources, provided that their service-level agreements (SLAs) is met.

This makes it non-satisfactory to expose information of all network intermediate nodes to the final application operators. First, detailed information on design and implementation of the cloud infrastructure is a confidential information and important properties of the cloud providers. Moreover, some extent of independence between application operators (users or cloud infrastructure) and cloud service providers are critical for maintaining cost effectiveness, maintainability, security etc of the cloud services.

3.2. Determination of the "correct" states

In a small-scale, hand-crafted network, determining whether the current running state of the network is intended or not is a relatively simple question. However, in the complex multi-cloud systems, it is quite hard or even impossible problem to determine that, even if we had been possible to know all the detail of the running state of the whole global network. To determine that, we also have to know about the design principle and hidden assumption about the operation of each single network.

3.3. Shared infrastructure and information leakage

The infrastructure of the cloud system is deeply shared among several clients. Although some information on the operational status at cloud service side is required to check the reliability of the user-side applications, exposing the raw operational parameters to some client may reveal security-critical information of other clients. Before exposing the cloud-side status, it must be cooked and filtered so that information only relevant to a specific client is included.

3.4. Virtualized infrastructure

Many cloud resources, not only computation nodes but also network routers, switches, VPN endpoints, etc., are virtualized and provided via infrastructure-as-code (IaC) systems. Unlike physical routers and switches, determination of virtual intermediate nodes in the traffic path does not mean its physical locations, physical properties and security natures. (imagine how we can analyze results of traceroute or ICMP ping via virtual private network.)

If there are any virtual nodes, physical properties of its underlying infrastructure may have to be traced and checked to ensure security and integrity. This requires cooperation of virtual resource provider or cloud providers and integration with their infrastructure management systems.

3.5. Risks beyond network layers

Today, many network systems are managed via complex systems. This means any invasion to the IT-side assets of those management systems will cause severe risks to the network layers. These assets include (and are not limited to) software asset management, software vulnerability, ID managements, etc.

To correctly evaluate risks of the whole network operations, we must also care about the risks of these management systems as well.

4. Proposed design

To overcome these problems, we propose to design a distributed architecture for assuring the network operation integrity for the mixed and hybrid cloud applications. Such a system should:

Possible implementation of such a system might be distributed systems of network security coordinations between operators and users of cloud and network infrastructure. Instead of the "disclose all" approach, such a design might keep both flexibility and efficiency of the multi-cloud applications.

In particular, such a system will:

Detailed designs will follow (TBD).

5. Security Considerations

Security SHALL be deeply considered and discussed during the ongoing standardization process.

6. IANA Considerations

This document has no IANA actions.

7. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

This work is supported by NEDO grants P23013 from the Net Energy and Industrial Technology Development Organization.

Author's Address

Yutaka OIWA
AIST Japan