Our networks are continually evolving and with this constant change brings both challenges and opportunities for our security posture. The flexibility and benefits of software defined networking (SDN) brings the ability for efficient and scalable performance, but if not done properly it can open your network up to unnecessary risk. By not being locked into a static architecture allows for the creativity of network engineers to troubleshoot and deploy networks at a level that wasn’t possible in the past. This technology has also spawned enterprises to start considering micro-segmentation with a zero-trust model to utilize this same flexibility with a “security first” mindset.
One of the first areas to consider when deploying this technology is to perform a thorough discovery of all endpoints on the network. We recommend this to be completed first, so security engineers and network engineers can work together to build policy based off what assets currently reside on the network. When working through these policies engineers should start getting a baseline of what systems actually require access to particular resources. This is commonly done by applying “like systems” in a particular group and applying policy to this group. For example, a common use case is understanding how your web architecture should be configured and locking down this policy to make it repeatable during deployment. Before SDN, micro-segmentation and a zero-trust model these systems were normally put in an untrusted DMZ zone on a switch, many times on the same VLAN with other systems. These systems would then have to communicate to an application server which would then communicate to the database server. Depending on how this was architected it many times left large firewall holes with an assumed amount of trust based off the systems communicating to it. Also, if all these systems were on the same VLAN/switch it leaves the organization with the potential of unneeded communication between these systems. With this example, there’s little reason for webservers on the same VLAN to speak to each other, but it was made difficult to lock them down.
Now enter SDN and zero-trust networks with the same example – We can now rely on zones, like DMZ, LAN and WAN, but create additional filtering on top of these systems on the network level. The web servers should never speak to other webservers and should only be speaking to the application servers on a particular port (we can get even granular when we start bringing up authentication and authorization to these devices). With SDN and zero-trust you’re able to configuring your policies to define what a web server is and how it should be acting in the future. This assists with deployment of assets by tagging them as a “webserver” and having policy orchestrated and applied towards them without having to manually create the same rules multiple times. The filtering is also created on an asset level and doesn’t worry about passing through a choke point before these decisions are made.
From the networking standpoint this reduces risk in your environment by creating enforcement points that control the flow of data through policy in which organizations are given granular control. The advancements of SDN and zero-trust networking allow for a combination of flexibility and security that helps enterprises reduce risk and lower their attack surface. By using traffic flow analysis tools to baseline your understanding of what’s moving through your network will help increase the optimization of your ruleset and expedite creating groups of assets and communications that will guide you towards a more secure network.