Applications have become a key driver of revenue, rather than their previous role as just a tool to support the business process. The heart of all applications is the network providing the connection points. Because of the new and critical importance of the application layer, IT professionals are looking for ways to improve their network architecture.
A new era of campus network design is needed, one that applies policy-based automation from the network edge to public and private clouds using an intention-based paradigm.
SD Access is an example of an intention-based network within campus. It breaks down into three major elements:
- Control-Plane based on the Locator / ID separation protocol (LISP),
- Data plan based on Virtual Extensible LAN (VXLAN) and
- Policy-Plane based on Cisco Octobersec.
Intent-based networking is about informing the controller of the end goal and allowing the controller-based network to understand the low-level device and configuration details. This is similar to the operation of the general packet radio service (GPRS). The user enters a destination and the software calculates the best route taking into account the parameters extracted from the user.
In campus networks, trends that have influenced the introduction of SD-Access and its intent-based paradigm include mobility, the Internet of Things (IoT), and uniform security over wired and wireless connections. .
Previously, traditional campus networks only included company-owned devices. In contrast, networks these days consist of a range of devices such as bringing your own device (BYOD) and smart wearable devices to name a few.
It is believed that the average user will bring 2.7 devices in the workplace, requiring access to enterprise systems in the cloud and application workloads in private data centers. Today’s users need seamless mobility across devices, while maintaining the same level of security and access control. At the same time, company policy and compliance must not be compromised.
Enterprise IoT across campus includes everything you find in an office building, from smart lights to card readers. Challenges arise in how to apply security between these devices.
There have been many attacks involving some sort of insecure IoT device. Usually, the device has not been managed or purchased by IT, resulting in a security leak. In some cases, the infected IoT device has direct access to the internet or corporate network, resulting in malware and hacking.
Such a recently publicized attack involving a fish bowl caused a data exfiltration event. The insecure IoT device allowed the hacker to slip 10 gigabytes of data from a North American casino. There was a sensor on a fish bowl monitoring the temperature of the water. A malicious actor compromised the sensor to move sideways across the network, gaining access to critical assets. With the availability of easy-to-use hacking tools, hackers don’t have to be resourceful. They keep looking for any small opening to infiltrate the network.
3. Uniform security for wired and wireless connections
Wired and wireless are just different ways of accessing the network. The user himself does not change. With the demands of the times, we need to change the way wired and wireless work together. Traditionally, wireless has been an over-the-top network, using Wireless Access Point Control and Provisioning (CAPWAP). However, new technology is needed for wireless that uses VXLAN tunnels and overlays that start at the access point.
Traditional segmentation and network management tools
The issue of segmentation has been around for years. However, traditional tools used for segmentation are not adequate as today’s networks must support mobility, IoT, and consistent security between wired and wireless connectivity.
Using virtual local area networks (VLANs) for segmentation is still a popular method. However, VLANs and other protocols, such as Spanning Tree Protocol (STP), were not designed with security in mind. Segmentation was not the goal behind the introduction of VLANs. They were created in the 90s to divide the broadcast domains. However, over time administrators have shifted to using VLANs with access control.
Administrators would associate a VLAN with an IP subnet to enforce subnet control. Finally, as the size of the networks grew, the VLANs did not match the expanding size. In addition, enforced policies based on IP address lack flexibility, and Access Control Lists (ACLs) have made their mark reaching millions of people.
Management is another major problem. The problem is, we use technologies like Syslog, Simple Network Management Protocol (SNMP), and Netflow for monitoring and troubleshooting. Again, these are technologies that were created 30 years ago. We have to overcome SNMP as a means of monitoring networks. SNMP works with a mining model that creates challenges with central processing unit (CPU) usage, among others.
The right way forward: Octobersec for macro and micro segmentation
VLANs are a single flat layer segmentation paradigm. Considering today’s campus networks, we need to transform this flat-layer paradigm into a two-layer paradigm. This can be achieved by introducing virtual networks (VNs), also known as macro-segmentation.
Virtual networks on campus are analogous to virtual routing and forwarding (VRF). Virtual networks provide segmentation at the transfer layer. This is essentially what a VRF does. The way you define segmentation is based on the structure and industry of the organization. For example, in healthcare, you may have Health Insurance Portability and Accountability Act (HIPAA) complaint members in one NV and non-HIPAA compliant members in another.
VNs, by definition, cannot communicate with each other, and all inter-VN communication must go through a stateful firewall. A dynamic firewall monitors the status of active connections and the characteristics of network connections that pass through it.
If you want to take it a step further, secure group tags provide what’s known as micro-segmentation. We further integrate the segments into the VN and filters are defined between the microsegments.
For this to work, extensions are needed in VXLAN, known as the VXLAN Group Policy Option (VXLAN-GPO). This defines how to embed a micro segmentation tag in VXLAN headers. Macro and micro segmentation is segmentation at the data plane level. Now let’s take a look at the newly improved control plane.
Another way forward: the Locator / ID separation protocol (LISP)
Now that the data plane transfer has been taken care of, we need a good control plane to distribute the information over the large campus network.
The Border Gateway Protocol (BGP) is a stateful distributed protocol. This works well in data centers but not in campus networks where many users connect via wireless. Users are moving all the time from one access point to another access point and from wireless networks to wired networks. End-host moves are usually addressed with / 32, but BGP does not handle frequent trips well this way.
In this case, LISP is a much better option forming the perfect marriage between the control and the data plane. LISP is a demand-based protocol that works similarly to the Domain Name System (DNS). It brings the benefits of using a centralized control plane and simplifies routing environments by eliminating the need for each router to handle all possible destinations.
The next big challenge is how to secure the group-based policies spread across all campus networks. Security must extend across the wide area network (WAN) both public, private and multi-cloud scenarios. We need to be able to provide all smart WAN features such as path selection and encryption, while continuing to extend consistent group policies.
Copyright © 2018 IDG Communications, Inc.