Network systems automation techniques

(To George Tosi)

The reference to the use of automation techniques and possibly AI (Artificial Intelligence) has become common practice in addressing many data analysis problems from which to draw information on the future behavior of complex systems.

In reality, the possibility for a system to react autonomously to particular events in order to standardize behavior is something that has been present in many devices for some time. In these notes we will examine an example of the functionalities available on some nodes of the enterprise networks (to date all based on the IP protocol) that allow:

The recognition of a specific event

The creation of a policy to be applied in case the event in question occurs

The application of the policy to the system with the following modification of its behavior.

All major vendors of IP network devices (Cisco Systems, Juniper Networks, Arista Networks,…) offer, under different names, such functionality.

Without going into the specifics of each system, I would simply like to illustrate the operating principle to offer an idea of ​​how there are, even in the field of network devices, tools and functions that allow the automation of the behavior of the nodes in the face of specific events.

The spread of these tools could also lead to solutions that, in synergy with AI-based security techniques (read article) allow to intervene effectively in the face of specific problems, avoiding that the threat or compromise attempt can reach the final systems (servers or individual workstations).

I will therefore refer to a hypothetical network device. The node in question provides a development environment focused on the implementation of automation features.

Very often this environment is developed on the basis of a Linux system optimized to run on an "auxiliary" processor inside the network node. The great advantage of such a solution derives from being able to exploit many (although not all) of the libraries and languages ​​available in Linux. In addition to this, the possibility, offered by the manufacturers of the network node, to access the main features of use of the node itself from this Linux environment must be added.

It is therefore possible to access specific parameters of the interfaces through a library (supplied by the manufacturer) which allows to know, for example, the number of packets transited in input-output from a specific port or to identify malformed packets (too large or too small or with errors, ...). These features are not limited to the characteristics of the interface, but can affect other subsystems of the node such as the routing level or some of the physical characteristics of the system (temperature, fan status, etc.).

I can therefore define a specific event based on the occurrence of a predetermined condition: exceeding the number of CRC errors on a port, changing a routing table, exceeding a threshold value regarding the system temperature, the load CPU or memory occupation.

At this point, the event thus defined can be used as a trigger for a specific action (policy): disable a door, send a message (in different ways) to the system administrator, intervene on the configuration to change a route default and so on.

All actions can be performed through scripts or executable programs: typically systems offer the possibility of using the main languages, therefore Python, Perl, Ruby and a native environment based on its own command interface.

This feature opens up a whole series of possible very interesting implications also from the point of view of network security.

If it were possible, using tools external to the system and based on AI, in the perspective defined by the aforementioned article, to properly instruct and communicate the presence of a possible identified threat to the system, it would be possible to intervene immediately (or in an extremely short time). The hypothesized intervention would therefore block the specific connection and, at the same time, would implement a specific policy previously defined, thus intervening on the configuration of the system itself.

In this way it could be possible, for example, to isolate a specific domain, considered unreliable, while ensuring the maintenance of connectivity globally.

Naturally, the synergies between network equipment and security systems are subject to analysis and development by all the main vendors who are able to offer tools for identifying and containing cyber threats, which, when properly configured and used, are very effective. .

rheinmetal defense