How to take the first step toward intent-based network security

What is IBNS, and what are its advantages? 

Intent-based network security (hereafter “IBNS”) helps with several areas that are of top concern for enterprise security leaders:

  • Software-defined networking
  • New application deployment
  • Moving applications across platforms (e.g. on-prem, cloud, virtual, containers)
  • Orchestrating policies to fit the network need

It does this by decoupling intent from implementation.

In this model, intent becomes the bedrock of policies and controls, and implementation serves as the device-specific enforcement of the declared security goal.

Basically, you are navigating to a place that’s much less about writing rules and much more about automating processes rooted in the desired intent of a device or path.

Obviously, this is a large undertaking for any organization, because it’s drastically different from current-state thinking. In reality, though, intent has always been the bedrock of data protection.

The path to IBNS isn’t as challenging as some make it out to be. But what’s that first step?


We must first discover the resources, assets, rules and controls that are currently in action.

Tactic-wise, this typically takes three forms:

Recursive Network Indexing: Recursive cycling targets, discovers, traces, monitors, profiles and displays the network. Recursive network indexing and the various multisource identification techniques from scouting the network allow us to answer questions such as:

  • What network enclaves are able to reach others?
  • Which rules allow this access?
  • What does the network look like from the outside?
  • How are devices connected, distributed and orchestrating all the traffic?

Traffic Flow Analysis: It is one thing to see the current infrastructure layout and relationships, but it is even more helpful to have that map constantly updating with recursive techniques. TFA becomes the starting line to see how packets can travel through the network from a given starting position. Recursive network indexing will show us what is happening, and TFA shows us how it is happening.

Access Path Analysis: This is a reference guide to see the means of transporting packets across the network, between segments and through the global enterprise. Access Path Analysis will reveal the paths of least resistance from one point to another. When the business knows the likely paths, it has even more data with which to determine security intentions – and can assess likely security goals (intents) for a configuration and capability of the path.

Once we have Recursive Network Indexing (what is there), Traffic Flow Analysis (how it is happening) and Access Path Analysis (where it could lead), we have the ingredients for intent.

And while this post isn’t designed to sell you anything (it’s designed to help you move towards IBNS), it’s doubtful we’d be writing about these tactics if FireMon didn’t utilize them with customers. So rest assured: our product can do all three.

In the next post, we’ll go through deduction, declaration and translation of said intent. That will move you from “understanding how things are moving around your network” to “being able to automate the processes around those elements.”