By Yoram Ehrlich, VP of Products, Niagara Networks
Is there a network out there that isn’t physically growing? Quite possibly, but I’ve never seen it.
Data centers, their network needs, demands on their resources, and the number of physical and virtual access points are increasing significantly, and your network managers are having trouble keeping up.
If that isn’t enough of a headache, take into account both the expanding security needs of the network itself and the increasing number of potential vulnerabilities likely to be exploited by malevolent parties – your data center security engineers and system managers are under tremendous pressure simply to keep up.
Depending on the nature of the enterprise and the types of clients and users, the scope and range of the network could be small and local to cross-continental and global. Regardless of the physical distances, as our networks grow, a natural or planned segmentation must be taken into account. The actual complexity in supporting network visibility and security across multiple system segments – whether distributed locally or across the field – magnifies the challenges multi-fold.
From a security point of view, a growing number of devices and tools to secure a network — from ‘simple’ malware detection to new generation firewalls and intrusion detection and prevention systems (IDPS) — adds even more layers of complexity.
Network visibility architecture – if it hasn’t already been implemented – must be one of your enterprise’s top priorities. It must cover both inline solutions within the physical network itself and out-of-band solutions – those outside the network that are designed only to receive traffic – for network visibility to be complete. Therefore, acquiring all the necessary dedicated network security devices that will offer coverage and management support for each segment of your network can be very expensive.
You also need to consider this: as more and more network visibility techniques, tools, and physical components are added to the already growing network, you will need to address how various security devices are handling the increasing amount of network bandwidth. Network and security engineers traditionally address this issue by acquiring even more network security devices. This, in and of itself, will significantly affect network management – and again, the expenses rise.
So, what is the secret to unraveling this Gordian knot? Actually, it’s no secret at all, but rather a smart solution based on a visibility platform founded on the Software-defined Network (SDN) paradigm.
To increase our data center’s leverage vis-à-vis network control and visibility, SDN offers a serious alternative to hardware managed networks. What it brings to the table is an optimum means for security engineers and network administrators to view and manipulate the network nodes and traffic as required via software control rather than relying only on hardware functionality. Thus, a dynamic, flexible, and scalable connectivity is enabled to support the data center’s and core network’s ever-changing demands.
SDNs are directly programmable, providing an agile, centrally managed platform that decouples the Control Plane (those decisions about where data traffic is routed) from the Data Plane, which determines what and how data traffic is moved.
Among the many benefits of SDN, managers can make on-the-fly changes in the network via a centralized tool, thus no longer having to separately configure each device on the network.
Here are some more visibility benefits, thanks to SDN:
- Manage costs of security and monitoring devices across multiple locations.
- Direct access to each and every security device in the network.
- Network downtime can be reduced via risk assessment.
Visibility = Security for large networks
Thanks to SDN’s open architecture OpenFlow, an SDN controller can stay in touch with each and every network device and segment, regardless of its physical location. OpenFlow is used by all SDN controllers, whether supplied by a specific vendor or a customized controller and regardless of whether the elements are involved in security or network management.
OpenFlow exists in the control or management layer of the network. This layer is connected to the physical layer, which is composed of the different hardware devices and network links. This architecture empowers a network manager with full visibility across almost every point in the network, creating a flat environment and helping eliminate blind spots. This also enables a network manager to leverage traffic intelligence.
Traffic intelligence and visibility
Traditionally, a network administrator would create policies to be applied as rules for each device and node on the network, resulting in a static network visibility configuration where each network element functions according to its policy and rules from the pool of policies.
However, network “‘visibility’ isn’t just for “viewing” the network or having immediate access to any of the endpoint nodes. Adding traffic intelligence via SDN offers you access to the infrastructure, which will increase visibility across the network. For example, if a network administrator has been notified of a surge in emails containing malware, then the SDN controller can be used to alert the security infrastructure (e.g. IDPS) to ensure that all email traffic is analyzed before being allowed to be routed to its destination.
The IDPS can analyze all network traffic, isolate all email traffic, and reroute it to an applicable inspection tool on the network. Thanks to the intelligence built into the controller, the visibility elements, and Rest API, the entire process is automatic. This automated and dynamic network traffic management is called traffic intelligence.
Traffic intelligence offers the following added value to network administrators by dynamically enabling traffic to be automatically rerouted to where it needs to go, without any need for human intervention:
- The built-in intelligence functionality ensures significant time savings; network administrators are no longer required to create rules for these processes or configuring those devices.
- Blanket, all-encompassing traffic rules, which often cause devices to needlessly waste resources performing unnecessary tasks, are eliminated. The network can now automatically perform network traffic inspection and analysis, detecting relevant traffic, and rerouting it. In this manner, devices are no longer tied up by carrying out unnecessary tasks. Such functionality can be especially helpful when you need to effectively investigate data leaks.
- The need for high-end security devices is reduced (even under optimum conditions, these devices cannot be expected to inspect and analyze all of your network traffic) – thus saving money.
It should be noted that traffic intelligence is not only applicable to security issues. It can also be used for prioritizing traffic. As an example, the SDN can be configured to make sure that all VOIP traffic is set to the highest priority, thus ensuring the best quality, uninterrupted service over the network. This can be applied to other real-time services such as video conferencing or other collaboration pipelines.
Maximizing the distributed network
In addition to automating processes and enhancing visibility, SDN enables you to move or reroute data from one location to another as required or even replicate it and move that data.
For example, your email traffic needs to be analyzed but no inspection or security device is free on the relevant segment of the network to carry this out. SDN can redistribute the traffic to another segment, where relevant devices and tools are available. This enhances the cost-effectiveness of your network devices, thanks to intelligent resource usage of all the devices distributed across your network.
With SDN controllers, managing network traffic in a large network is greatly simplified.
To summarize, SDN technology can assist you with increased visibility on large-scale networks with multiple sites. Thanks to traffic intelligence, i.e. a central policies engine, traffic can be easily and effectively distributed across multiple security and monitoring devices. It can optimize fabric flows across the network to meet KPIs, capacity, and performance matrixes. By sharing inline, out-of-band, and other tools across the network, it greatly contributes to enhancing the security platform.
For more information on SDN and solutions for reducing blind spots on your network, visit our resources page to gain insight on network visibility. You can also contact Niagara Networks to arrange a consultation with one of our visibility experts.