With old IP networks, security is implemented by devices that are deployed at the edge. However, in the cloud era - where data centre and networks converge and access becomes increasingly mobile, the concept of the perimeter disappears. But the good news is that the New IP – a modern approach to networking that emphasises open, automated, software-defined elements to increase agility and reduce costs - allows deployment of security so that the network can be pervasively vigilant.
Security is improved with network virtualization
Deploying services as Virtualized Network Functions (VNFs) is a simple but powerful approach. Services such as routing, load balancing, application delivery and security, Web and network firewalls, and VPN can be moved in real time and through remote management that does not require physical redeployment and human capital, delivering significant OpEx and CapEx savings. The cost savings deliver the flexibility to distribute functionality more appropriately, but with the same performance. Security can be distributed where needed, or distributed ubiquitously. And services can be removed when no longer needed. This gives the ability to truly customise security by geography or location, by function, by group, by individual or by application.
This embedded security posture allows organisations to address compliance assurance from site to cloud, employee to application resource, and tiering of security via IPsec encryption, remote access VPNs, stateful firewall, and Web application security embedded in virtual routers and virtual application delivery controllers.
Security on an SDN Controller
With an underlying network fabric, you can create a simplified flat, VM-aware network topology, inherently increasing security by design. Using flow technologies and a programmable SDN controller allows a centralised view of network behaviour, giving the ability to immediately take action against security threats within the infrastructure and push policies to the network in real time. Advanced messaging can be utilised so that every element in the network automatically generates its state and condition and pushes it to a centralised repository for real-time analysis - a step towards security empowered by machine learning.
With networks constantly under attack, native data encryption from a network device in the data centre, LAN and WAN, can protect data going across a link. This can be done without impacting performance or incurring the cost and complexity of backhauling traffic to specialised devices, and is especially critical when network links are not under an organisation’s physical control - such as between data centres, between sites, and between sites and the cloud.
Application and User Awareness for Client-to-Application Security
Accessing critical business applications requires multiple layers of protection, with interaction from business-to-consumer increasingly needing more secure web-based application access on a growing apps traffic volume. Application delivery controllers that can handle expanding SSL-based traffic with an integrated Web application firewall are needed, along with the flexibility to target individual users or customer groups with unique security requirements per application.
Security Is Open, Not Closed
With old IP networks, point security appliances such as firewalls, IPS/IDS, DPI, analytics tools, encryption-at-rest and encryption-in-flight, etc., each address specific security challenges. There is no information exchange and collaboration between them, and no security services abstraction layer that takes advantage of key learnings from all sources.
But the New IP –with its hybrid hardware and software implementation, offers a standardised way to interact and communicate with any device or sensor (physical or virtual) via an SDN controller. All the data from sensors can be collected and delivered to an analytics engine for visualisation, identification, and action. The behaviour of any device can be changed as you can communicate, program, and write to it. This creates the ability to extract data from the network and understand it as one system, through a security data exchange within a multivendor ecosystem, and APIs that allow for interaction with various security elements for more extensive security data collection, correlation, and enforcement.
Security Is Based on Behaviour, Not Just Identity
New IP networks can consider behaviour rather than just identity when applying security policy. With behaviour-based security, the system gets deeper insights into typical and atypical actions and into preliminary steps in the attack process, allowing it to not only mitigate attacks already occurring but prevent potential attacks. Bear in mind that most breaches have an inside element, so identity management cannot be relied on to detect an attack. A means is needed to detect insider attacks and protect the system against those who have gained legitimate access. Behavioural analysis of risk factors, indicators of what is abnormal activity, and detection of out-of-context behaviour is crucial.
Security Is Self-Learning, Not Static
The security system in New IP architectures is continually learning and self-optimising, unlike traditional systems that rely on pattern matching with databases that get updated periodically. In that case, if an exploit doesn’t fit into any of the patterns, the security system doesn’t recognise it as a threat. New IP architectures are more agile and can self-improve. Applying Big Data and machine learning concepts to network behaviour allows a change from a reactive to a proactive security posture, from descriptive to predictive analytics, and ultimately, from a static to a self-learning or adaptive network.
Gary Denman is Senior Director for Australia and New Zealand of Brocade