NetCitadel and Software Defined Security

It’s been an exciting couple of weeks in the security realm, with a number of innovative startups appearing. That’s refreshing because recently most “innovation” in the security space has been something involving a new way of marketing a signature or reputation based system – and that’s just a bit rubbish, and not a little tiresome. Most interestingly, a new startup emerged from stealth mode in promising “software defined security”. NetCitadel has obviously been watching the SDN debate and decided that now is the time to give network security the API treatment. Since this is an area of particular interest for me, I got in touch with NetCitadel to talk about how the OneControl technology works and look at some of the potential use cases for their new product.

What’s Wrong with What We Have
Current network security infrastructure revolves around the firewall. Depending on your viewpoint, the traditional firewall is either almost, or already completely dead as a platform for innovation. Enterprise security admins typically manage hundreds of individual firewalls composed of multiple firewall platforms, along with thousands of combined rules. Traffic frequently passes through multiple firewalls, meaning that even simple changes can be challenging to implement correctly first time. In addition, typical enterprise security architectures are not designed to support the highly virtualised service infrastructure that our server-bothering colleagues are able to deploy. As a result, changes to services can often be held up by manual configuration tasks that are difficult to get right first time. NetCitadel likes to characterise this kind of management solution as “human middleware”, which is such a good line that I’m going to start taunting people with it.

All of this makes managing an enterprise firewall estate time consuming and expensive. What’s required is a way of ensuring that network security tools react automatically to network events such as virtual instances coming online, security events, routing and path changes, etc.

OneControl
NetCitadel seeks to address this gap with its OneControl product. OneControl augments or replaces vendor specific management solutions by creating an abstracted user interface that can be used to configure firewalls, switches, and routers. The software is able to operate in heterogeneous environments by creating a common policy language that can be used to describe security policy assertions in a vendor-independent manner. Policies can then be mapped to groups of hosts which share a common use case.

OneControl uses a common policy definition language to define security policies

OneControl uses a common policy definition language to define security policies

To push SPL defined rules to a device, the controller uses a module called a device configuration translator to generate device-specific configuration data, which is then pushed to the device. Typically, this is achieved by SSHing programmatically into the target firewall and pasting the commands in.

Abstraction is key here, since it also applies to event data. OneControl uses the Common Event Format (CEF) to report network events back to the controller, allowing it to react and automatically push policy changes in reaction to those events.

Event sources communicate with One|Control via CEF

Event sources communicate with OneControl via CEF

As events from sources come in, the OneControl system can use scripts or daemons to determine whether the event requires a change to policy. If a change is required, then the system can push those changes out via device configuration translators to enforcement points.

Platform Support

At present, the following network platforms are supported:

  • Cisco IOS
  • Cisco ASA
  • Juniper SRX
  • Juniper SSG
  • Linux IPTables

To allow the security estate to react dynamically to virtualisation events, OneControl can also hook into your cloud/virtualisation infrastructure using the Cloud and Virtualisation Security Modules. Both these modules are licensed extras that allow OneControl to detect events such as creation, deletion, or migration of virtual instances, and automatically update the security policy accordingly. This makes the provision of new services much faster and less error prone, since server teams no longer need to wait for the firewall dude to show up, and the results of changes are no longer dependent on how much coffee they’ve had.

The list of supported platforms is rather bare at the moment, however I’m assured that support for other firewall platforms is on the way. Given that a number of the senior people in NetCitadel have links with Fortinet and Palo Alto, it’s a fair bet that these platforms are next. The elephant in the room is everyone’s favourite firewall vendor: Check Point. Check Point has a poor track record in 3rd party integration thus far and their management product Provider-1 has historically been their main selling point. Given the installation base, I would argue that NetCitadel needs to find a way to work with Check Point devices to be successful. Unfortunately, given the Check Point architecture, policy pushes will probably need to go via Provider-1 rather than directly to the firewall modules themselves.

Security Orchestration – An Example
As an example of how OneControl can work, consider a web server instance that is created in AWS. By monitoring the AWS platform, OneControl can see the new instance being created and automatically moves the new web server into a security group that the administrator has already defined for other web servers. This group has a common policy attached to it, so once the new instance is up and running, the act of adding it into the web server group automatically applies the relevant policy.

The Tip of the Iceberg
The web server example isn’t particularly impressive – the same thing could be achieved using your own scripts hooked into whichever cloud/virtualisation platform that you’re using. It does show what’s possible though. The OneControl platform has a REST API which allows administrators to programatically define the system’s response to different security event data. Imagine hooking into netflow data as a baseline, then automatically throttling or blocking misbehaving hosts, for example. Or how about automatically blocking traffic on a switch port in response to an alert from AV detecting a virus (yeah, I know).

Potential Use Cases
There are a few ways you could potentially use OneControl:

  1. As a replacement for your current vendor’s management platform. CSM and NSM suck pretty badly in their current forms. Consider evaluating OneControl as a management product, even if the idea of automated security orchestration seems a bit scary.
  2. A data centre firewall layer or hybrid approach where some firewalls or policy entities are managed by OneControl, while others are managed in the traditional manner.
  3. Full on security orchestration layer allowing the OneControl system to automatically manage policy dependent on events with custom scripting and programs running at the back end to extend and enhance the built-in capabilities of the tool.

Should I Buy it?
The OneControl system looks very interesting, and there are some compelling arguments for adoption, even with it being a v1 technology. Having said that, there are some caveats. This isn’t true software-defined security to my mind, and there are still a few missing pieces that need development before it’s fully there, especially with the low number of supported platforms. For example, there are no supported IPS devices, meaning that the orchestration layer is missing a vital source of event data. I worry as well that, given the severe lack of API access to most firewall platforms, the current method of scripting SSH access and command line entry might not be sustainable, as vendors continue to change the CLI commands with each code revision.

I do see it as an important first step towards a full security orchestration product that will relieve a large part of the firewall admin’s daily drudgery. I’d certainly suggest anyone with a large Cisco or Juniper estate to give it a crack, even if it’s just as a management replacement. As support grows for other platforms, and we continue our virtualisation and cloud binge, I think this kind of product will become even more relevant.

If you regularly see your firewall admin sobbing, then you could do worse than suggest they check NetCitadel out. If you are consistently finding that firewall changes are becoming a bottleneck when implementing new services, or you are making extensive use of cloud or virtualisation services, you should definitely trial it.

Here’s a Picture of a Kitten

This has been a long post. If you’ve made it this far – well done, here’s a nice picture of a kitten as reward. Yay you!

Kittens soothe network engineers' existential angst

Stop worrying and look at the kitten.

Neil Anderson
Neil is a freelance network security architect and contractor working with a number of clients in Scotland and Europe. He is CCIE #18705 and also holds a CISSP. He can often be found sampling beer in remote locations and ranting about tech to anyone too stupid to run away. If you're very unlucky, he may talk to you in Gaelic. Neil can be occasionally be found on Twitter.
  • http://etherealmind.com Etherealmind

    NetCitadel looks nice, but it’s only configuring firewalls. That’s a really small limited use case. In the last decade there have been dozen or so companies with products like this that no longer exist and last one standing in Tufin.

    I’m not buying the pitch :) .Unless NetCitadel plans to offers something new, I see no reason for them to be successful.

    • NeilTAnderson

      I’ve never seen Tufin deployed as anything other than an auditing and compliance tool. It seems to occupy the same space as AlgoSec, where automatic rule updates, and change orchestration are possible, but require scripting rather than having the config translators built in. That said, it’s a few years since I looked at it, so maybe they’ve got parity here.

      I think it’s possible to replicate OneControl’s current capabilities using some funky scripting and a lot of bespoke tool development. What NetCitadel brings to the table is a common language for policy definition and config translators that you don’t have to write and maintain. I remember writing Perl scripts for automatic router provisioning a few years ago, and it was just painful – even supporting only one version of IOS!

      I’m planning to spend some time playing with OneControl in the lab soon, so hopefully I’ll be able to shed some more light on the stuff that it can do at a more technical level.

      • jc

        We use a product formerly named Solsoft (now “Secrutiy Change Manger” I believe) that is now owned by Infoblox that lets you build and maintain a security policy and will automate the deplyement of the rules on all relevent devices in a topology aware fashion. They support a buch of devices from diffrent vendors (Cisco ASA, FWSM, IOS, Juniper, Fortigate, Linux IPTables, etc.).

        We’ve been using it for 5 years and it’s been a godsend in the management of our firewalls. It’s only unfortunate that the product founding company has been sold/merged a couple times since as the product got a little lost in the byers/mergers portfolios and kept it from getting the spotlight it deserves.

  • cryptochrome

    Wow. I can finally give Juniper’s abomination (which they call NSM) the boot. Nice.

  • http://twitter.com/MrsYisWhy Mrs. Y.

    Just had a demo of the “still in beta product.” This is after I initially saw a completely different product that was “about to be released” over two years ago. I don’t know how these guys get away with this. Complete vaporware and now they’re all about APT this and malware that. It’s not about managing the firewalls at all. It’s basically a middleware product to automate communication and actions between your alerting tier and your prevention tier.