Most people are familiar with fractals, if not by name but by appearance. Wikipedia defines a fractal as “…a natural phenomenon or a mathematical set that exhibits a repeating pattern that displays at every scale.” Perhaps the most famous example of a fractal is the Mandelbrot set, which is shown below.
Figure 1: The Mandelbrot Set. Image Copyright Wikimedia - Creative Commons.
The key takeaway here is that no matter how far you “zoom in” on the fractal, the patterns you see will repeat themselves forever. You can view an animated example of the Mandelbrot set here: https://www.youtube.com/watch?v=PD2XgQOyCCk
With that being said, how can we apply fractals to the world of network security? Can we build a repeatable security structure that looks the same at different scales by repeating the same structures at different points in your infrastructure? What would you stand to gain by considering building and deploying a structure such as this?
I believe you could see the following benefits:
How might a fractalized security structure look? Using a carrier-level security deployment as an example, your security structure should be quickly recognizable at any level: enterprise, SMB and the consumer/home level. Architects could build a segmentation and micro-segmentation model across all their assets (data center/cloud, network, consumer gateways) in order to take advantage of these benefits. A fractal-like security system presents attackers with a flattened attack surface with little to no hand-holds to gain access. Conversely, any flaws or weaknesses found will impact all fractals… but the silver lining to that is simply that once a flaw is found, your team will be able to identify the weakness and determine the scope of work required to remediate the weakness. Another potential mitigation to a weakness is to build your system using the fractalized “geometry” and use different “elements” - for example, by using the same reference design and apply them to a mixture of products from different vendors. Keep in mind though: using too many vendors greatly increases your operational complexity and will increase your operational costs. By deploying solutions from multiple vendors, you avoid the issues surrounding a security “mono-culture”, but still gain the benefits of a fractalized infrastructure.
These ideas will likely become much more important and relevant as the Internet of Things (IoT) gains more and more traction. IoT communications will be constant - both from the “north-south” (data moving from the endpoint to the gateway to the network and to the data center or cloud) and from the “east-west” (data moving locally inside the same segments to allow devices to communicate with each other). In the world of IoT, many devices will utilize the same shared infrastructure at every level (data center/cloud, network, and gateway)… which means that if your security model isn’t consistent across and within all of those levels, attackers will target and exploit the weakest links exactly like they would if they found a flaw.
Moving forward, I believe security architects may be able to gain significant advantages in developing solutions and infrastructures that take advantage of the strength of fractals. By using the ideas around similarity and scalability at every level of your network, you can prepare for the inevitability of millions of new network-aware devices connecting to your infrastructure. The IoT explosion is on the way; thinking about fractals in relation to security may be one way to be ready for it.
Tyson Macaulay is Fortinet’s Chief Security Strategist and Vice President of Security Services. Tyson is an accomplished researcher and author, and his new book RIOT Control: Understanding and Managing Risks and the Internet of Things, will be available soon. Prior to Fortinet, Tyson was CTO for Telecommunications Security at Intel and Security Liaison Officer at Bell Canada.