In a world where network security is getting more and more complex, how do you know what you’re doing is accomplishing what you want? Is that firewall rule actually stopping your applications or IP from reaching the outside world? Is your well-crafted micro-segmentation policy dynamically adjusting to accommodate your mobile medical devices once they move physical network segments? How about that PCI network - is it really separate from the rest of your production environment? If you think the answer is yes to any or all the above, how do you prove it short of an outside, attested audit?
In a perfect world, we would always have accurate, up-to-date documentation, but that's just not reality. Even if it was, that's still a lot of manual work. What we really need is a tool that can discover the entire physical network, and can then overlay the logical design (routes, ACLs, and other network policy), compare configurations, and show you configuration mismatches. A tool that can, ultimately, test intended business outcomes against actual configured design. In other words, an intent-based network assurance tool.
I know, I know, some of you are thinking that there already are some similar tools …well, kind of…. but they have severe limitations. First, they usually take days to do discoveries (which usually means you take very irregular snapshots which are then useless for troubleshooting or dynamic assurance), and secondly, you need a rocket science degree to make them work. In a modern world, an initial discovery should take at most a few hours and you shouldn’t need professional services to do setup, management, and customization. Tools need to be intuitive and easy to use; in short, they need to make our lives easier.
In the following series of blog posts, I will lay out real-world scenarios that we see every day, where this technology will save you time, money, and in many cases, a lot of unneeded complexity.
Increasingly, network segmentation is becoming an integral part of any enterprise’s security strategy. On the surface this seems simple; use authentication and VLANs to enforce a segmentation policy. There are too many ways to design this. You have a choice of protocols, discovery tools, NAC tools, traffic analyzers, etc. all in place to support enterprise-wide segmentation.
However, none of these provides a single view to confirm that your network is segmented as expected. It’s irrelevant that your “golden” config was rolled out perfectly or that DNA confirms each VLAN is in place and working as perfectly with ICE, or that enforcement of the endpoints is working perfectly with Anyconnect. None of it matters if it’s built on top of a faulty foundation; we need a way to confirm that the segmentation is actually configured correctly, and we need to be able to confirm at a glance that a device supposedly segmented off in VLAN A can’t actually get to VLAN B unless we intend it to and that if we do intend it to, it is following the intended path security protocols, etc.
A similar concept - but different use case - is PCI network segmentation, the process by which corporations limit their PCI compliance expense/exposure by segmenting off the portions of their networks that deal with PCI data processing storage or transit. The traditional way to confirm that this is set up correctly today is to have an attested audit, but why should that be the case? Wouldn’t it make so much more sense if we had a single source of truth that could span the entire network, providing both a physical and logical network view, reducing the potential for human error?
This unified view would allow us to instantaneously see if the segmentations were in place correctly. It would allow you to quickly see if a device can get from point A to point B on the network or bypass your virtual network barriers.
For most of us, a solution that does fast and accurate discovery and network visibility on multiple levels would be enough - but I think we can expect more, because in the real world we need more. We need a solution that gives us the ability to do pre and post-network change modeling. Pre-change modeling allows us to eliminate risk and limit potential downtime while ensuring network and security as designed integrity is maintained. Post network change reviews can help with troubleshooting or by providing a simple intent-based design success view. (In other words, did the intended change impact the network as expected; no guessing, but a simple graphical view to see pre and post-change network outcomes)
I know the two scenarios above are quite high-level and simple to understand - but that’s the point really - it’s so easy to see that we have been missing; an easy-to-use reliable assurance tool. It’s almost so obvious a need that we all forgot we should have it. I’ll be back in a few weeks with another blog to highlight other obvious use cases for an enterprise assurance tool.
As always, feel free to reach out to me directly or anyone else from the IP Fabric team with any questions that you might have. Want to see how this could revolutionize your network security? Book a demo with our team, who will take you through exactly how this applies to your specific network needs.