Challenges Over The Past 18 Months
Enterprise network teams have had to overcome some very large challenges over the past 18 months. Overnight they had to instantly respond to providing remote access to a large percentage of their organization’s users. As companies determine their long-term remote work strategy all the while defending the network from current and future cyber threats. Network teams are evaluating new solutions to accommodate the needs of the organization. One technology stands outs as a solution to accommodate remote access, internal networking, security, and branch connectivity. Software defined networking is expanding into all areas of networking and no longer providing just branch connectivity.
Zero trust is an area that is continuing to grow in popularity and has gained further support by the National Institute of Science and Technology (NIST) for deployment in government networks. Micro-segmentation is a principle of zero trust and software defined networking along with automation is making this easier for enterprises to implement. Segmentation can be implemented at multiple layers of the network. This assures that any device on the network can only traverse to the resources that is required. For complete segmentation coverage, it should be done at the switching layer as well at the endpoints. Segmentation of the network not only reduces the potential impact of ransomware spreading, but also reduces the ability of an attacker traversing your network from a compromised system. In many of the larger ransomware cases, a breach of data had occurred prior to the deployment of the ransomware. Attackers had been in those environments moving freely for days, weeks or even months. Segmentation as well as good identity validation will reduce the ability for unauthorized lateral movement.
Traditional VPN solutions may not provide the necessary security controls and flexibility for remote users’ business needs. A form of software defined networking is secure access service edge or SASE (pronounced “sassy”). It utilizes the cloud to provide both security and wide-area networking to connect securely to a resource in the cloud or in a data center. SASE can provide restricted access utilizing the zero trust concepts of least privilege as well as confirming user identity and application segmentation. It can provide easy secure access for contractors or auditors while providing them access to the limited resources they need. Some implementations can also provide restricted internet access for remote users with monitoring capabilities for security teams. SASE needs to be closely evaluated, because current pricing levels make it difficult to justify the expense over a one-time cost of a traditional VPN client.
"As the industry continues to embrace software defined networking as a robust solution, the interoperability with other products and use cases will continue to grow and mature"
As I have discussed in previous articles, software defined wide area networks (SD-WAN) is a powerful solution to easily provide high availability, encryption and better performance utilizing low cost internet circuits over expensive MPLS. It is a great solution with a quick ROI if you attend to replace expensive MPLS. Otherwise, it does provide for additional security and will allow for easy redundancy by simply adding an internet or cellular connection in addition to the existing circuit.
An additional benefit of software defined networking is the ability to automate many tasks. Many of the solutions provides API access that can be scripted to enforce policy changes. This can be done due to onboarding of a user or maybe triggered from a security event that was detected by your SIEM. In essence, this could be a means of a kill switch to automatically isolate malicious traffic as soon as it is detected on your network.
As the industry continues to embrace software defined networking as a robust solution. The interoperability with other products and use cases will continue to grow and mature. Software defined networking can be an exciting new technology for networking teams while increasing your organization’s overall security maturity levels.