Security is a big deal these days for all organizations, especially when it comes to the network infrastructure. Everything in the network is susceptible to attack and often, it feels like a security breach is just waiting to happen. IT professionals can’t afford a single breach, let alone a second or third. After all, much more than their reputation is at stake—the breach can cause irreparable damage to their organization’s image and worse yet, lost customers.
The traditional way IT professionals protect themselves and their mission critical workloads from this scenario is by putting up a heavy perimeter defense. They have big firewalls put in place that their workloads sit behind, and in truth, they work reasonably well. Typically, workloads aren’t compromised because the firewalls are able to defend against incoming attacks. Sometimes though, attacks do get through, and if one machine is infected, the attack can spread laterally within the datacenter and then across all the tiers of the workload.
What happens next? Invariably, the IT professional has to go back to the business group to notify it of the security breach and that service has to be taken down. Credibility is lost. Customers get angry. Shareholders get angry.
The challenge here is that protecting the network from all attacks, whether from an internal or external source, is not that straightforward. When an attack does occur, IT professionals need to be able to respond very quickly.
The answer to this dilemma is to use a Software Defined Networking (SDN) solution, utilized preferably in a software defined data center. And in particular, use of a SDN solution that employs a dynamic security model.
With SDN, you can deal with security in a much more dynamic manner. The idea is that an application has a good sense of how it wants to be modeled. It may say, for example, that the internet should only be able to communicate with my workload’s front end and not with its middle tier or backend. It might also say, I don’t want my machines in the front end to be able to communicate with each other. That way, if one front-end machine gets infected, the others could still be protected.
With a dynamic security model, you can model these types of security policies for the application, the security profile, easily in a template—the same template that was used to model the application. Effectively then, you gain the ability to dynamically segment your network based on the security policies the application wants to see. If those security policies change, no problem. You aren’t forced to go into the physical firewall and make a bunch of individual changes; a process that can eat up a great deal of time. Instead, you can just make those changes in software, in the template, and those policies automatically get disseminated to all the instances that need it. Moreover, if those workloads move around the infrastructure, the policies just move with it.
What all this means is that with SDN and a dynamic security model, you gain the flexibility to manage your security in an efficient way. You model your workload and use templates to model your security policies. You determine, from a network perspective, what traffic you will allow and on which machine or machines. You also determine if any communication between other machines will be allowed.
How does this work in the real world? Assume you have a workload with multiple tiers (each tier having a few VMs) and you have modelled security policies such that all traffic from the Internet comes to the front end, and the policy deployed within the front end is such that VMs in it cannot communicate with other. That is, no communication is allowed with the other machines in the front end. Consequently, even if a machine does somehow get compromised, the infected machine will simply have no way of extending that attack to the other instances running in the workload’s front end. The underlying infrastructure prevents the network traffic from flowing from one machine to the other.
If you do want to allow secure connections between machines, it’s a trivial task. All you would need to do is just change the definition of the security policy in place—say, that the new policy applies to the workload’s front end—and the policy gets dynamically and instantly deployed by the IT implementer. You can even decide to have your workload front end talk to the backend through a firewall appliance, such as a 3rd party firewall. With the SDN and dynamic security model, it’s easy enough to route or mirror/clone traffic to go through the appliance dynamically, without having to do any rewiring. You get the level of trust you care about, while retaining the ability to dynamically make security changes when needed. For example, you can mirror traffic to the Advanced Threat Analytics service to protect against advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices, and resources) behavior.
It’s these types of capabilities that make SDN and the dynamic security model such powerful weapons in securing your network infrastructure. If you have any comments on this subject drop me a line at [email protected], and be sure to check out my next blog for information on network infrastructure challenges facing today’s IT professionals. Check here for past blog posts on a whole range of other IT-related issues.
This blog is sponsored by Microsoft.
Cheryl J. Ajluni is a freelance writer and editor based in California. She is the former Editor-in-Chief of Wireless Systems Design and served as the EDA/Advanced Technology editor for Electronic Design for over 10 years. She is also a published book author and patented engineer. Her work regularly appears in print and online publications. Contact her at [email protected] with your comments or story ideas.