Aug 22 2023
Scaling Security Across the Cloud: Chief Scientist on Distributed Cloud Firewall
In this episode, Woody dives into the world of cloud security using open source systems with our special guest, Susan Hinrichs. Susan Hinrichs, Chief Scientist at Aviatrix, is a multifaceted professional with a strong background in the open source networking and security space. As a designer and implementer, she has contributed significantly to the development of distributed cloud firewall. Susan's expertise extends well beyond traditional networking, encompassing diverse areas such as cloud routing, application security, policy-based traffic engineering, and distributed systems. Throughout this insightful conversation, Susan discusses the advantages of open source platforms, Aviatrix contributions to the open source community, and the open source DNA of the Aviatrix Distributed Cloud Firewall. Susan and Woody also explore possible directions for Distributed Cloud Firewall and the role that AI and ML could play in network security. Learn more about Altitude and Host Woody: https://aviatrix.com/altitude/ Susan’s LinkedIn: https://www.linkedin.com/in/shinrich/ Timestamps: [00:02:11] Group responsible for traffic termination and scrubbing. Used open source software and contributed back. [00:06:55] Extended Berkeley Packet Filter (eBPF) enables efficient traffic analysis in kernel space, particularly for dropping network traffic at low levels with minimal effort. It provides a more cost-effective alternative to IP tables for implementing firewall policies. [00:10:07] Approach: Not everyone is the root. All processes aren't root. Need to elevate. Complicated product made simple. [00:14:27] Open Stack's limitations revealed as enterprise-scale businesses require dedicated specialists, making it costly. Distributed cloud firewall innovates multicloud security. Scaling security in the cloud is challenging due to layer 3 and up the stack complexities. [00:16:38] Distributed firewall challenges and solutions summarized. [00:21:53] Smart groups are created with tags on VMs, subnets, and VPCs. These groups are used to create rules for traffic routing. With Aviatrix fabric, gateways are protected, and traffic routes are understood. The controller analyzes gateways and enforces rules accordingly. Rules are pushed or pulled to the gateways. [00:26:15] Security group orchestration across different cloud platforms has limitations due to varying models and rule limits. Difficulties arise when translating intermixed allows and denies into only allows, potentially causing networks to split and requiring more rules. Despite extensive work, there are cases where policy expression is not possible. Other tools, like VMware and Cisco, offer similar orchestration capabilities, but the physical enforcement points may still restrict the unified view presented to customers. [00:30:30] Moving towards intrusion protection, analytics, and service mesh for enhanced security. [00:34:05] The impact of AI and machine learning on security systems. [00:35:16] AI helps with alarm fatigue and data correlation.