wrong tool

You are finite. Zathras is finite. This is wrong tool.

The Network is the Database and Firewalls

by Leave a Comment

Following up to yesterday’s post, I wanted to talk about the Network…

Again this is stuff a noob like me finds interesting. I am glossing over massive amounts of detail. And I may be wrong, and if I am I’d like to be corrected.

If you come from a database background, a database has the following useful properties:

  1. There is a single IP address you can ask all your questions of
  2. Only approved people can add or remove state
  3. You can trivially query the current global state of the database.

In an IP network, the database is the network, and the database has the following perverse properties:

  1. There is no single IP address you can all ask all of your questions of
  2. Anyone can add or remove state
  3. You can not query the current global state

The Network Database is the single most unique database on the planet. The properties of that database provide for resiliency, force co-operation between bitter commercial rivals and require some of the most sophisticated protocol engineering on the planet.

And why is this important to Firewalls?

If we consider firewalls, and computationally cheap security then we realize that the single most important function of a firewall is to make sure that Network is a Database only contains records (routes) that are approved.

That was a mouthful.

Consider a route from IP 1.1.1.1 to 2.2.2.2. The network administrator would like to say that no such route must exist in the network database. The problem is that the network administrator can not guarantee that such a route won’t get created either maliciously or intentionally. The inherent properties of the Network Database make this impossible.

What to do?

Well you create a device that has all of the rules that you want to enforce and that device has all of the properties of a real database:

  1. There is a single IP address
  2. Only approved people can add or remove state
  3. You can trivially query the current global state

And then you put that database in the middle of the network and have it verify that no invalid route is inserted by essentially seeing every packet and making sure that every route is valid in the context of the security policy.

In effect, this is the really astonishingly surprising result – a firewall’s first and foremost role in a network is to secure the routing tables. What I mean by securing the routing tables, what I mean is that you are ensuring that no route that you don’t want exists.

That’s why a firewall is inline, that’s why it exists. If you could secure the routing tables without a firewall, then you could – in principle – transform the security industry.

And it turns out that SDN can eliminate the need for a firewall… Maybe. And that is very disruptive. And SDN’s might do this because, well, they move the Network Database out of the Network into a database that has standard database properties…

And I’ll get to that when I talk about SDN.

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.