​The new IP sets a high bar for cybersecurity

Security is improved with network virtualization

In the cloud era - where data centre and networks converge and access becomes increasingly mobile - the concept of the perimeter disappears.

In the cloud era - where data centre and networks converge and access becomes increasingly mobile - the concept of the perimeter disappears.

With old IP networks, security is implemented by devices that are deployed at the edge. However, in the cloud era - where data centre and networks converge and access becomes increasingly mobile, the concept of the perimeter disappears. But the good news is that the New IP – a modern approach to networking that emphasises open, automated, software-defined elements to increase agility and reduce costs - allows deployment of security so that the network can be pervasively vigilant.

Security is improved with network virtualization

Deploying services as Virtualized Network Functions (VNFs) is a simple but powerful approach. Services such as routing, load balancing, application delivery and security, Web and network firewalls, and VPN can be moved in real time and through remote management that does not require physical redeployment and human capital, delivering significant OpEx and CapEx savings. The cost savings deliver the flexibility to distribute functionality more appropriately, but with the same performance. Security can be distributed where needed, or distributed ubiquitously. And services can be removed when no longer needed. This gives the ability to truly customise security by geography or location, by function, by group, by individual or by application.

This embedded security posture allows organisations to address compliance assurance from site to cloud, employee to application resource, and tiering of security via IPsec encryption, remote access VPNs, stateful firewall, and Web application security embedded in virtual routers and virtual application delivery controllers.

Security on an SDN Controller

With an underlying network fabric, you can create a simplified flat, VM-aware network topology, inherently increasing security by design. Using flow technologies and a programmable SDN controller allows a centralised view of network behaviour, giving the ability to immediately take action against security threats within the infrastructure and push policies to the network in real time. Advanced messaging can be utilised so that every element in the network automatically generates its state and condition and pushes it to a centralised repository for real-time analysis - a step towards security empowered by machine learning.

Read more: Blog: Security Shouldn't Take a Backseat to Virtualization

Encrypting Data-in-Flight

With networks constantly under attack, native data encryption from a network device in the data centre, LAN and WAN, can protect data going across a link. This can be done without impacting performance or incurring the cost and complexity of backhauling traffic to specialised devices, and is especially critical when network links are not under an organisation’s physical control - such as between data centres, between sites, and between sites and the cloud.

Application and User Awareness for Client-to-Application Security

Accessing critical business applications requires multiple layers of protection, with interaction from business-to-consumer increasingly needing more secure web-based application access on a growing apps traffic volume. Application delivery controllers that can handle expanding SSL-based traffic with an integrated Web application firewall are needed, along with the flexibility to target individual users or customer groups with unique security requirements per application.

Security Is Open, Not Closed

With old IP networks, point security appliances such as firewalls, IPS/IDS, DPI, analytics tools, encryption-at-rest and encryption-in-flight, etc., each address specific security challenges. There is no information exchange and collaboration between them, and no security services abstraction layer that takes advantage of key learnings from all sources.

But the New IP –with its hybrid hardware and software implementation, offers a standardised way to interact and communicate with any device or sensor (physical or virtual) via an SDN controller. All the data from sensors can be collected and delivered to an analytics engine for visualisation, identification, and action. The behaviour of any device can be changed as you can communicate, program, and write to it. This creates the ability to extract data from the network and understand it as one system, through a security data exchange within a multivendor ecosystem, and APIs that allow for interaction with various security elements for more extensive security data collection, correlation, and enforcement.

Security Is Based on Behaviour, Not Just Identity

New IP networks can consider behaviour rather than just identity when applying security policy. With behaviour-based security, the system gets deeper insights into typical and atypical actions and into preliminary steps in the attack process, allowing it to not only mitigate attacks already occurring but prevent potential attacks. Bear in mind that most breaches have an inside element, so identity management cannot be relied on to detect an attack. A means is needed to detect insider attacks and protect the system against those who have gained legitimate access. Behavioural analysis of risk factors, indicators of what is abnormal activity, and detection of out-of-context behaviour is crucial.

Security Is Self-Learning, Not Static

The security system in New IP architectures is continually learning and self-optimising, unlike traditional systems that rely on pattern matching with databases that get updated periodically. In that case, if an exploit doesn’t fit into any of the patterns, the security system doesn’t recognise it as a threat. New IP architectures are more agile and can self-improve. Applying Big Data and machine learning concepts to network behaviour allows a change from a reactive to a proactive security posture, from descriptive to predictive analytics, and ultimately, from a static to a self-learning or adaptive network.

Gary Denman is Senior Director for Australia and New Zealand of Brocade

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitybrocadevirtualisation

More about AdvancedDPIIPSLAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gary Denman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts