As network engineers, we are repeatedly encouraged to “Design security in from day one”— especially in this age of increasingly large and damaging breaches. It’s easy to say “Design security in”— but what does that really mean? Security relates to stateful packet filters and complex passwords. Throw a password and a policy at it and you’re all good. However, none of these things seem to be related to designing, deploying or (really) even operating a network.
Maybe it’s time to change the perception of network security.
The overwhelming majority of security breaches are not due to software defects or determined attackers exploiting an unknown hole in your defenses. Most breaches are, in fact, due to misconfigurations and a lack of security awareness. Once the attacker is “inside”—or if the attacker is an insider—lateral movement is their crucial tool to widen the amount of damage they can do or information they can collect.
Misconfigurations within the Network
The first of these two—misconfigurations—can be attacked by making the network simpler, deploying automation and moving toward intent-driven networking. Reducing complexity reduces the sheer number of complex configurations, reducing the potential for mistakes. Automation (through DevOps) makes configurations repeatable. Intent-driven network systems make configurations auditable.
Lateral Movement within the Network
The second of these two types of breaches—lateral movement within the network—can be addressed by properly separating functional modules within the network and deploying segmentation. Properly segmenting the network, both in terms of topological and layered modules, builds in fault domains. It is hard to impact one part of the system by attacking another part of the system. Proper segmentation can also prevent an attacker who breaks into one part of the system from gaining control of other parts. On the other, segmentation logically divides the network into application- or control group-sections, each of which can have independent policies and members.
Segmentation and modularization should be familiar words to network designers and operators because they are also the building blocks required to create a scalable and reliable network. Designing security in, then, means using the tools we already use—just with security in mind, as well as scaling and operational simplicity.
Join us on February 10th at 12 pm EST for Masterclass #3: Security in the Data Center Fabric, as we discuss the concept of designing security into your data center in more depth.