Security Experts:

Transitioning to a Security-Driven Networking Strategy

Digital innovation is changing every aspect of how organizations conduct business. But nowhere has its impact been felt more acutely than among the security team. Those teams, already grappling with serious challenges due to the growing cybersecurity skills gap, are being tasked to secure an ever-expanding network footprint. Without a comprehensive, security-driven network strategy in place, this problem is only going to get worse.

Complexity is the Enemy of Security

If an expanding digital footprint were the only issue, it would likely be manageable. The bigger challenge is that, in a rush to adopt digital business practices, many of these new network expansion projects are often being implemented ad hoc by individual lines of business. Security teams are then left to secure virtual and cloud environments, the implementation of SaaS services, DevOps projects, the growing adoption of IoT, mobile workers, and an expanding array of personal connected devices after they have already been implemented.

This results in a complex assortment of security vendors, products, and architectures that is the exact opposite of a coherent security strategy. Security devices operate in isolation, policies have to be hand ported to different devices, and visibility and threat correlation are limited. Such complexity has always been the enemy of security, with skilled cyber adversaries waiting to take advantage of security blind spots and gaps in policy enforcement and monitoring. And now, their potential attack surface has been expanded exponentially.

How do you secure dynamic environments like SD-WAN and Intent-Based Segmentation?

Nowhere is this more evident than in the efforts to update traditionally static WAN connections that rely on a traditionally static hub-and-spoke design that requires backhauling all traffic through the central data center. Today’s core network is continually adapting to the introduction of new devices, applications, and workflows, along with shifting network configurations to support business requirements, requiring the use of advanced, intent-based segmentation. The challenge is that most static router and MPLS configurations simply can’t support a network in constant flux. SD-WAN solutions, however, fully support intent-based segmentation, including the continuous reconfiguring of segmented zones to accommodate business-critical applications and WAN networking requirements.

At the same time, the performance demands of business-critical applications are continually increasing. The result is that traditional router and MPLS-based WAN connections are no longer a viable solution due to their inflexible designs and high demands for things like manual re configuration. Meanwhile, limited bandwidth – and the growing costs associated with dedicated circuits, especially as bandwidth requirements continue to escalate – are forcing once robust connections to struggle to keep up. It’s part of the reason why, as organizations look to refresh their WAN router infrastructure, that the global market for SD-WANs is expected to grow at a CAGR of 60-65 percent through 2021.

But most SD-WAN solutions come at a security cost that is not even considered until well after a solution has been chosen and implementation has begun. Traditional connections passing through the central data center are protected with the full array of security deployed in the core network. But to ensure greater flexibility and performance, branch connections through an SD-WAN appliance use direct internet connections. But those devices generally only provide a basic firewall. Security teams are then left to build an overlay security framework that is not only costly in terms of the security devices that need to be purchased and deployed, but also in terms of the additional overhead required to keep them tuned to the continually shifting connections and real-time traffic shaping needed to keep connections over a public network fast and reliable.

The Need for a Security-Driven Networking Strategy

Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board.

Next, it requires the selection and full integration of security tools that not only work together to share and correlate intelligence and coordinate a unified response to threats, but that also work seamlessly across the widest variety of environments possible. These technologies need to work consistently, regardless of whether they are deployed as a traditional or virtual appliance or as a cloud-based solution. They also need to be deployed natively across any combination of private and public multi-cloud environments and adapt to dynamically changing network infrastructures. They also need to provide a single security policy that can follow data, applications, workflows, and transactions across the entire distributed network with consistent visibility and enforcement.

However, much of this functionality can no longer be supported with traditional hardware that relies on layers of coding around off-the-shelf CPUs. Integrated services, to be fully responsive, need custom hardware that integrates networking and security functionality at the most fundamental level. This requires custom processors purpose-built to optimize functionality, accelerate specific sorts of transactions, and manage complex activities that simply cannot be otherwise achieved without serious performance degradation and overly complicated management.

In this way, rather than having to interpret and react to network changes – which is how nearly every security solution today functions – security is able to become part of the network itself. This allows it to simply adjust policies and protocols as part of the dynamic networked environment. Need to change the connection between a SaaS application and a branch office? Because security is now an integral part of network functionality, it can adjust simultaneously and at network speeds, so not a single packet is left unprotected. 

Security-Driven Networking is Already Here

This strategy is already in place in some Secure SD-WAN solutions. Rather than running on a separate SD-WAN appliance, it can be integrated into an NGFW solution. This provides a full stack of security functions, by default, from the moment it is turned on. Firewall, IPS, anti-virus, web filtering, and sandboxing, and more – the same set of protections previously only available in the data center, can now encrypt, inspect, and secure direct internet connections to all essential cloud applications and internet-based services. And because the same device runs all essential WAN functions – such as application recognition and steering, traffic management, and connectivity controls – security is seamlessly bound to any changes in connectivity. And both networking and security can be managed through a single, fully integrated management console. 

Adding this same functionality to switch and wireless access points, combined with network access control and intent-based network segmentation, allows this security-driven networking strategy to also be deployed deep into branch office LANs and even core network environments – especially for SMB organizations – where integrated functionality supported by purpose-built hardware can provide new standards for supporting the networks of tomorrow.

The Next Generation of Security

This approach represents the next generation of security, and it needs to be in place before smart cities and buildings, fully automated transportation, and 5G-based edge computing begin to be fully embraced. Without a security-first, security-driven network strategy in place, the resulting chaos will be a field day for cybercriminal organizations.

view counter
John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.