The case for a secure, bi-directional, full-duplex firewall installed at the perimeter of data centers.
Axel Kloth responds to: Covey, L. (2019, February 26). Cloudborne Punches Hole in Cloud Security.
I have said for quite a while that “The Cloud” is an economic model, and not a safeguard. “The Cloud” is really only someone else’s data center, and it allows Cloud users to shift computational tasks from one physical location to another, without disrupting the workload too much. That is why hybrid clouds dominate today; they simply are a combination of the private data centers that corporations always had and the ability to rent additional computational horsepower from a cloud provider to fulfill the needs for elasticity.
Due to the elasticity of compute requirements, all workloads must support being shifted around. This in turn requires Cloud service providers to provide large-scale data centers that are all multi-tenant, i.e. many clients are hosted in any one data center, without firewalls in between the individual clients. Again, as an economic model this works well, but not being able to isolate clients from each other by means of firewalls also implies that if malware is exfiltrated from one client, then all clients will be possible targets of that malware as no firewalls exist between clients.
This problem gets aggravated by other facts that I had highlighted before: firmware updates can be executed by anyone, without authentication of the person updating the firmware, even if the firmware is unsigned and possibly malicious. One would think that the firmware update process is an onerous one, with heaps and heaps of safeguards. It’s not.
Firmware updates for hard disks (yes, they do have update-able firmware!), RAID Controllers, LAN Controllers, GPUs and BMC and host processors in servers are trivial and unsecured (other than by weak username and password combinations that in the vast majority of cases are set to default) and easily breached, or riddled with holes and backdoors.
As a result, each and every server has a large attack surface that can easily be exploited, and sufficiently well-written malware can easily be made persistent (i.e. it will survive a reset, restart or a re-install of the Operating System). While bad enough, this can be detected by malware scanners in each server, and affected systems can be taken offline, re-flashed, and put back in service.
With Intel’s SGX, it is possible to write malware that is persistent and at the same time cannot be detected by malware scanners, simply because SGX protects the malware from being observed. In this case, malware can exfiltrate and replicate on any adjacent system. In other words, Intel’s SGX can help conceal the ultimate botnet.
How can this spread be detected and prevented?
Data centers will need to come to grips with the requirement that all clients in multi-tenant public clouds will have to be isolated from each other by the deployment of firewalls that do NOT use x86-64 processors, that do NOT use industry-standard hard disks or SSDs, and that do NOT support unauthenticated firmware updates with unsigned firmware. The same firewalls must be deployed at the perimeter (each entry and exit point from the Internet) of the data center, and—novel for firewalls—must filter traffic in BOTH directions simultaneously, i.e. work in a bi-directional and full-duplex fashion to detect if malware is being exfiltrated.