Insuring your environment is secure as you intended
In a world where security is getting more and more complex, how do you know what you’re doing is accomplishing what you want? Is that firewall rule actually stopping your applications or IP from reaching the outside world? Is your well-crafted micro segmentation policy dynamically adjusting to accommodate your mobile medical devices once they move physical network segments? How about that PCI network, is it really separate from the rest of your production environment? If you think the answer is yes to any or all the above, how do you prove it short of an outside attested audit?
In a perfect world we would always have perfect up to date documentation, but the world isn’t perfect. Even if it was, what we really need is a tool that can discover the entire physical network, then can overlay the logical design (routes, ACLs and other network policy), compare configurations and show you configuration mismatches; a tool ultimately that can test intended business outcome against actual configured design. (In other words, an intent based network assurance tool). I know I know, some of you are thinking there have already been some similar tools … kind of…. but they have severe limitations. First, they usually take days to do discoveries (which usually means you take very irregular snapshots which are then useless for troubleshooting or dynamic assurance) and lastly you need a rocket science degree to make them work. In a modern world, an initial discovery should take at most a few hours and you shouldn’t need professional services to do set up, management and customization. Tools need to be intuitive and easy to use; in short, they need to make our lives easier.
In the following series of blog posts, I will lay out real world scenarios that we see every day, where this technology will save you time money and in many cases, a lot of unneeded complexity.
Scenario1: Network Segmentation Assurance
Increasingly Network segmentation is becoming an integral part of any enterprise’s security strategy. On the surface this seems simple, use authentication and vlans to enforce a segmentation policy. There are too many ways to design this; you have a choice of protocols, discovery tools, NAC tools, traffic analyzers etc. all in place to support enterprise wide segmentation. However, none of these provides a single view to confirm that your network is segmented as expected. It’s irrelevant that your “golden” config was rolled out perfectly or that DNA confirms each vlan is in place and working as perfectly with ICE, enforcement of the end points can be working perfectly with Anyconnect. None of it matters if it’s built on top of a faulty foundation; we need a way to confirm that the segmentation is actually configured correctly, we need to be able to confirm at a glance that a device supposedly segmented off in Vlan A can’t actually get to Vlan B unless we intend it to and that if we do intend it to, its following the intended path security protocols etc.
A similar concept but different use case is PCI network segmentation, the process by which corporations limit their PCI compliance expense / exposure by segmenting off the portions of there networks that deal with PCI data processing storage or transit. The traditional way to confirm that this is set up correctly today is to have attested audit, but why should that be the case? Wouldn’t it make so much more sense if we had a single source of truth that could span the entire network, providing both a physical and logical network view, reducing the potential for human error? This unified view would allow us to instantaneously see if the segmentations were in place correctly. It would allow you to quickly see if a device can get from point A to point B on the network or bypass your virtual network barriers.
For most of us, a solution that does fast and accurate discovery and network visibility on multiple levels would be enough – but I think we can expect more, because in the real world we need more. We need a solution that gives us that ability to do pre and post network change modelling. Pre-change modelling allows us to eliminate risk and limit potential down time while ensuring network and security as designed integrity is maintained. Post network change reviews can help with trouble shooting or by providing a simple intent-based design success view. (In other words, did the intended change impact the network as expected; no guessing, but a simple graphical view to see pre and post change network outcomes)
I know the two scenarios above are rather high level and simple to understand but that’s the point really – it’s so easy to see that we have been missing an easy to use reliable assurance tool. It’s almost so obvious a need that we all forgot we should have it. I’ll be back with a few weeks with another blog to highlight other obvious use cases for an enterprise assurance tool.
As always feel free to reach out to me directly or anyone else from the IP fabric team with any questions that you might have.