Software-defined networking security, specifically microsegmentation, continues to be the No. 1 reason organizations...
deploy SDN in their data centers.
When actually putting SDN into production for security purposes, however, IT teams can face significant challenges. One reason for this is because SDN platforms often presuppose that IT knows what the microsegments in their network should be, even when they often don't.
In actuality, many IT teams end up deploying an SDN platform like Cisco Application Centric Infrastructure or VMware NSX to replicate their existing security zoning strategy and granular segmentation. These deployments benefit organizations by moving them into production with a new tool, and without extensively disrupting operations. On the other hand, IT teams can fail to realize the full benefits of the tools at hand.
IT teams often face the stumbling block of developing the level of knowledge about their networks required for successful microsegmentation. Organizations lucky enough to have robust network analytics already in place hold an advantage, as such analytics platforms make acquiring this knowledge a nonissue. These platforms can rapidly map out which systems talk to which, when they do so and how (e.g., what protocols or transaction types are used).
Given such a map, IT can then more easily assess where to draw tighter boundaries around system groups and how narrowly to squeeze the range of communications. Smaller groups and more restricted ranges of communications translate into improved security with reduced threat surfaces and risk of compromise. Indeed, gaining this kind of insight can be a major driver of network analytics deployments.
In organizations without robust network analytics tools, IT teams should prepare to invest significant time into mapping the network manually and maintaining accurate network maps. Another option is to invest in automation and analytics platforms that keep such knowledge up to date.
How software-defined networking security has advanced
Other ways in which software-defined networking security can specifically benefit organizations include improved monitoring, establishment of security demilitarized zones and automation of network configuration.
Improved monitoring. An enterprise can use a software-defined network alongside its production network to provide a parallel network that handles monitoring and management. This parallel network can pull replicated packet traffic from the production network using inexpensive white box switching and, perhaps, even open source software.
Security zones. An enterprise can similarly use a software-defined network to route traffic through a gauntlet of security appliances at the same time it flows from one part of the network to another. This can improve throughput and reduce costs.
Automation. By integrating network provisioning and configuration auditing into system deployments -- using infrastructure-as-code tools like Ansible or Salt -- IT can reduce the rate of misconfigurations that result in security problems and improve the rate of remediation of any problems that creep in.
The end goal for software-defined networking security
Of course, the ultimate end state of software-defined networking security in full production is what Nemertes Research calls deep segmentation. This is the ability to control, to as fine a degree as desired, which entities can see and communicate with which -- and how they do so -- end to end across the enterprise network.
Security compromises can be tightly constrained when every edge switch -- physical or virtual -- and every other packet-handling device can enforce security policies in a fully software-defined perimeter. In this environment, land-and-expand attacks can be slowed or potentially stopped before they get to another system.
The typical enterprise has a long way to go before achieving this end-state architecture, but SDN tools are continuing to mature in scope, scalability and ease of use, while becoming more affordable.