The Problem
Joking of course, the first problem we’ll tackle is the security team (no offense intended). Many larger organizations have become somewhat siloed, with network and security teams “staking out turf.” When teams don’t communicate and engage in architectural discussions, your company may spend a significant amount of money creating a complex, failure-prone, and difficult-to-manage mess.
One way this happens is through sunk cost syndrome – for example, spending $2 million on 10 Gbps firewalls, only to realize that you need to purchase four more pairs or replace the existing ones.
Previously, networking and security teams had a clear division of labor, but this “turf” approach has evolved over time. Nowadays, security often has several devices in the outward-bound path at some sites, usually close to firewalls. This arrangement can create potential problems, such as devices with undocumented throughput limitations, security staff buying appliances without anticipating growth, or the complexity of multiple devices in the path to the outside.
Real-world stories highlight organizations where the security team didn’t collaborate with the network team or update budgeting annually, resulting in suboptimal outcomes.
Additional sources of complexity include CoLos, Cloud, Zero Trust, and SD-WAN or SASE. These factors impact how traffic flows through networks, making it increasingly difficult to force traffic through a single chokepoint security device or pair of devices.
Implications:
- Routing traffic through a single chokepoint security device or a pair of devices is no longer feasible due to cost and complexity. Backhauling traffic to a central security portal increases latency and is not desirable. It is expected that most networking/security professionals are now conscious of this issue.
- For organizations with CoLo presences, shifting security devices into the path towards the CoLo has been a viable option. Regional SD-WAN architectures have complemented this approach; however, routing failover to another region and maintaining security state (symmetric flows) necessitates meticulous and intricate design.
- The advent of Cloud technology has introduced virtual appliances and other forms of traffic enforcement as key considerations. With multi-Cloud environments, networking and security approaches differ among cloud vendors, along with potential variations in DNS/IPAM, ACLs, etc. Additionally, anti-malware and anti-phishing measures are increasingly focused on end-user protection. This raises the question of whether organizations should integrate virtual security appliances to support a single-vendor solution.
Segmentation
Classic networking approaches often involve segmentation through VLANs and VRFs, using automated or central management tools. However, this method adds complexity and requires designing with devices that support segmentation, including security devices.
Alternatives
Security vendors, including Cisco, are looking at alternative approaches to segmentation. Cisco DNA provides split functionality, putting some security functions in routers or switches, and others in the cloud for scaling. While this may concern some people, especially those opposed to Cisco, it offers a flexible solution for network security.
Other approaches include an agent-centric method, leveraging the cloud for analysis, enforcement, and reporting. Distributing security functionality can alleviate performance bottlenecks and remove the need for costly high-throughput inline security devices.
As with any alternative approach, trade-offs are inevitable:
- Balancing the management of an increasing number of physical or virtual security appliances, which may also handle SD-WAN or other networking functions, against managing agents on user devices, servers, VMs, containers, Kubernetes clusters, and more.
- Comparing the ability to monitor any device generating network traffic with the limitations of IoT or proprietary servers that cannot accommodate a Zero Trust agent.
- Contrasting security controls exclusively at security chokepoints with those on any device equipped with an agent, which could involve managing and segmenting local traffic as opposed to only traffic directed toward data centers or cloud services.
- Ensuring that security “chokepoint” devices detect and enforce all relevant security measures, as opposed to mandating that endpoints have a security agent installed, while dealing with the challenges surrounding personal and IoT devices.
In summary, each option presents its own advantages and disadvantages. Your task is to determine which trade-offs best suit your organization and the extent to which they impact your operations.
Some Solutions
To conclude, here are some constructive ideas:
- Break down silos: Teams must collaborate on connectivity, routing, monitoring, alerting, and reporting architectures.
- Keep it simple: Complexity is the enemy of uptime and efficient troubleshooting. Prioritize simplicity in your evaluation of proposed solutions.
- Shared architecture and simplicity are crucial: Separate network and security solutions are no longer viable.
- Joint planning, budgeting, architecture, and product evaluation between network and security teams are essential.
- Monitoring, smart alerting, and the right tools are vital: Basic SNMP and link-down alerts are insufficient for detecting issues like packet drops.
By focusing on these solutions and leveraging Cisco DNA, customers in regulated industries and government can achieve a more efficient, secure, and adaptive network infrastructure.
Embracing Cisco DNA can help organizations overcome the challenges posed by evolving network and security demands. With its policy, automation, and analytics capabilities, Cisco DNA enables organizations in regulated industries and government to adapt to change, simplify and scale operations, and protect against degradation and threats.
In summary, navigating the complexities of network and security systems requires open communication and collaboration between teams, a shared architectural approach, and the right tools and strategies in place. Cisco DNA offers a flexible and scalable solution to address these challenges, empowering organizations in regulated industries and government to build a more efficient, secure, and adaptive network infrastructure for the future.