With regards to network security and setting perimeters, what constitutes legitimate network activity? Unfortunately, the answer is becoming increasingly complex, reflecting more sophisticated policies, business initiatives, and compliance requirements that are stretching the capabilities of today's enterprise networks. As a result, organizations are rethinking their network security requirements and looking to build policy awareness and enforcement into the fabric of the network.
Initially, network security policies were relatively simple to design. The primary objective was to partition the “trusted” internal network and systems from the “untrusted” external world. Securing the network perimeter could be implemented after the high-performance internal network had been laid down with a relatively small number of appliances and policy rules, depending on what internal services needed to be made available to external users (usually web access, email, and remote access for external employees).
At an increasingly rapid rate, this level of sophistication is breaking down, dramatically increasing the costs of deploying and managing network security policies. There are a number of trends driving this increasing burden. The primary factors usually cited are:
- Prevalence of insider threats
- Malware on the internal network
- Presence of more untrusted users and systems on the internal network
- An increase in compliance, regulatory and risk management initiatives
In response to these challenges and the internal nature of threats, organizations are moving from a secure perimeter to a Secure Network Fabric. A Secure Network Fabric is a vision of how secure networks will be built in the future, reflecting the pervasive need for security and policy enforcement throughout the network, and is characterized by a few key features:
- Real-time Automated Remediation – many security products take the approach of alerting or logging every problem, attack or security breach. This, however, requires manual intervention to actually fix the problem, which takes a great deal of time compared to the rate at which threats can propagate internally. A superior approach is to block or remediates threats in real-time within the network, by intelligently identifying illegitimate network packets or activity and dropping the offending traffic. This reduces the delays and costs of manual intervention and proactively halts the malicious activity. Real-time analysis and remediation has to be done without reducing network performance, however.
- Global Enforcement – rather than just protecting a network from the outside world with a secure perimeter, or protecting high-risk assets from segments of the network through chokepoints, modern security policies have to be enforced everywhere. The fabric of the network has to be inherently secure, with security devices embedded in the network topology. This reflects the pervasive nature of policy enforcement requirements and the proliferation of internal security devices.
- Centralized Management Platform – as security devices (firewalls, IPS, NAC) become more ubiquitous, the policy management framework has to be more centralized. The goal is to define the policy once, centrally, and enforce it everywhere. This will reduce inconsistencies, management overhead and costs, and will allow for more sophisticated policies in the future. Admins will worry less about firewall rules, and begin to align their networks with compliance and risk management initiatives to become more responsive to changes in broader business needs.
Figure 1. – A Secure Network Fabric is characterized by a comprehensive network security portfolio embedded at all points of the network and managed under a unified policy framework.
Building out a Secure Network Fabric takes a multi-pronged, multi-layer defense-in-depth approach to analyzing traffic and making policy enforcement decisions. For this reason the trend in security products has been towards tighter integration between firewalls, intrusion prevention systems, and other devices. There is less reliance on doing these policy enforcement tasks on endpoint systems, which may not be trusted and usually offers only partial remediation. A Secure Network Fabric relies on advanced packet analysis and policy enforcement features of next generation systems to implement more sophisticated policies.
Policy definitions fall within a spectrum of complexity, from granular, low-level policies that are focused on specific devices, all the way up to highly sophisticated compliance and risk management initiatives that are independent of the network design. For the network to meet these business needs, various policies may have to be implemented across the entire spectrum. Leading organizations, however, as their policies mature, are building Secure Network Fabrics that better align their networks with rapidly evolving business and compliance requirements, while reducing complexity and management costs.
We are also seeing the networking infrastructure becoming more inseparable from the security and policy enforcement points that are now embedded throughout the network, and from the centralized policy management system that oversees network and security operations. As the sophistication of policies grow beyond simple binary access control decisions, the same network infrastructure can be expected to make policy decisions on quality of service (QoS) to make networks more efficient and cost effective.
As a result, enterprises are now looking to their networking infrastructure vendor to be their strategic security solution provider as well. There is more of premium being placed on embedded policy enforcement solutions, and high-performance security devices that can interoperate with the intelligence of the switch to realize the vision of a Secure Network Fabric. Multi-vendor, best-of-breed security appliances are becoming harder to justify from both a price-performance perspective, as well as difficulty in seamlessly integrating into the network fabric. Enterprises are advised to look for a partner with a comprehensive portfolio that covers core to edge, data center and branch office solutions, and a tightly integrated approach to security and networking components under a common management framework with the tools to build out and enforce complex policies.