New IP principles of security for enhanced cybersecurity

By George Chacko, Principal Systems Engineering and Lead Technical Consultant, Brocade India

Traditionally with IP networks, security is implemented by devices that are deployed at the edge. However, in the cloud era – where data center and networks converge and access becomes increasingly mobile, the concept of the perimeter disappears. The good news is that the New IP – a modern approach to networking that underlines open, automated, software-defined elements to increase agility and reduce costs – allows deployment of security so that the network can be pervasively vigilant.

Security is enhanced with network virtualization

Deploying services such as Virtualized Network Functions (VNFs) is a simple yet powerful approach. Services such as routing, load balancing, application delivery and security, Web and network firewalls, and VPN can be moved in real time and through remote management that does not require physical redeployment and human capital, delivering significant OpEx and CapEx savings. The cost savings deliver the flexibility to distribute functionality more appropriately, but with the same performance. Security can be distributed where needed or distributed ubiquitously, and services can be removed when no longer needed. This gives the ability to truly customize security by geography, function, group, and by application.

This embedded security posture allows organizations to address compliance assurance from site to cloud, employee to application resource, and tiering of security via IPsec encryption, remote access VPNs, stateful firewall, and Web application security embedded in virtual routers and virtual application delivery controllers.

Security on an SDN Controller

With an underlying network fabric, you can create a simplified flat, VM-aware network topology, inherently increasing security by design. Using flow technologies and a programmable SDN controller allows a centralized view of network behavior. It also provides the ability to take action and push policies to the network in real time. This centralized real-time view of the entire network provides a critical capability to recognize and immediately react to security threats within the infrastructure. Further, advanced messaging can be utilized so that every element in the network automatically generates its state and condition and pushes it to a centralized repository for real-time analysis – a step towards security empowered by machine learning.

Encrypting Data-in-Flight

A key aspect of data protection is securing data-in-flight. With networks constantly under attack, native data encryption from a network device in the data centre, LAN and WAN, can protect data going across a link. This can be done without impacting performance or incurring the cost and complexity of backhauling traffic to specialised devices, and is especially critical when network links are not under an organisation’s physical control – such as between data centres, between sites, and between sites and the cloud.

Application and User Awareness for Client-to-Application Security

Accessing critical business applications requires multiple layers of protection, with interaction from business-to-consumer increasingly needing more secure web-based application access on a growing apps traffic volume. Application delivery controllers that can handle expanding SSL-based traffic with an integrated Web application firewall are needed, along with the flexibility to target individual users or customer groups with unique security requirements per application.

Security Is Open, Not Closed

With old IP networks, point security appliances such as firewalls, IPS/IDS, DPI, analytics tools, encryption-at-rest and encryption-in-flight each solve specific security challenges. There is no information exchange between these security silos, and there is no security services abstraction layer that takes advantage of key learnings from all sources.

But the New IP –with its hybrid hardware and software implementation, offers a standardized way to interact and communicate with any device or sensor (physical or virtual) via an SDN controller. All the data from sensors can be collected and delivered to an analytics engine for visualization, identification, and action. The behavior of any device can be changed as you can communicate, program, and write to it. This creates the ability to extract data from the network and understand it as one system.

Security Is Based on Behavior, Not Just Identity

New IP networks can take into consideration behavior (what, when, where, and why) rather than just identity (who) when applying security policy. With behavior-based security, the system gets deeper insights into typical and atypical actions and into preliminary steps in the attack process, allowing it to not only mitigate or stop attacks already occurring but prevent potential attacks. Additionally, since most breaches have an inside element, identity management cannot be relied on to detect an attack. You need a means to detect insider attacks, protecting the system against those who have legitimate access. Behavioral analysis of risk factors, indicators of what is abnormal activity, and detection of out-of-context behavior is crucial.

Security Is Self-Learning, Not Static

The security system in New IP architectures is continually learning and self-optimizing. As it monitors behavioral patterns and looks for preliminary attack activities, the system can predict the likelihood of an attack. This is unlike traditional systems that rely on pattern matching with databases that get updated periodically. In that case, if an exploit doesn’t fit into any of the patterns, the security system doesn’t recognize it as a threat. New IP architectures are more agile and can self-improve in that regard. Applying Big Data and machine learning concepts to network behavior allows you to go from a reactive to a proactive security posture, from descriptive to predictive analytics, and ultimately, from a static to a self-learning or adaptive network.

Leave a Reply

Your email address will not be published. Required fields are marked *