Educate Your Network to be Intelligent

The goal of education is to gain knowledge to act more intelligently. Today’s modern network designs are focused on fatter and faster pipes at the core with intelligence being distributed and pushed to the edge.The edge network is also changing from wired to wireless as mobile devices take hold at enterprises. Network elements such as firewalls, wireless controllers, load balancers, switches and routers are becoming virtualized software network functions, able to change in both functionality and scale. At the heart of today’s networks are network controllers that direct these network functions based on feedback from sensors and the status of these virtualized network elements. These software-defined networks (SDN) enable intelligent capabilities to sense and respond quickly to changes or events in the network.

Virtual Overlays Enable Agile Defenses

This dynamic network adaptation capability is a key enabler from an ACD perspective. Virtualized network functions enable elastic services that operate as virtual machines in a logical network that is independent of the physical network location or state. Workload VMs can migrate across this logical network without requiring any reworking of security policies, load balancing, etc. In addition, new workloads or networks should not require (re)-provisioning of the physical network. Nodes in the physical network can fail without any disruption to the workload, while any failures in the virtual layer do not propagate to the physical layer. This type of agile and resilient network allows network engineers and administrators to respond quickly to changing mission requirements and security events.

In SDN environments, the control plane understands the network schematic and is therefore able to configure the network in response to specified commands. The control plane creates an overlay—a temporary logical network put in place to address a demand, a situation, a security response—without having to touch the underlay. The control plane also choreographs the services enabling them to be scaled up or down.

The forwarding plane of the SDN environment comprises virtual network elements (vRouters) that carry network user data. vRouters are responsible for forwarding packets from one virtual machine to other virtual machines via a set of server-to-server tunnels. The tunnels form an overlay network sitting on top of a physical IP-over-Ethernet network.

“I’ll take a load balancer, a firewall, a NAT, and an IPS to go, please”

By creating an abstract service layer of virtualized network services, implemented over an SDN control plane, an administrator can easily change a network component’s rules when necessary—reprioritizing, or even blocking specific types of packets with a very granular level of control. Essentially, the abstraction layer helps to define a virtual network that presents logical network components as part of service chains—logical switches, logical routers, logical firewalls, logical load balancers, logical VPNs and more— all connected. Logical networks are created, provisioned, and managed through the SDN controller and VM orchestrators, utilizing the underlying physical network as a simple packet forwarding backplane. Virtualized network and security services are distributed and attached to workload VMs within a network. As a VM is moved to another host, these chained services stay attached to the workload VM and move with it. In addition, as new workload VMs are added to a network to scale an application, service chains and policies can be dynamically applied to the new VMs.

Finding – and Stopping – a Needle in a Virtual Haystack

Dynamic service chaining can be applied in many different ways since it allows for fine-tuning of protection parameters based on traffic flow patterns. For example, SDN-based active defense mechanisms and tactics are especially useful in enforcing containment and isolation at the network level. Containment attempts to keep an attacker from moving laterally and affecting wider parts of the system. Isolation attempts to separate useful traffic from suspected traffic with the hope that useful traffic can still be allowed. Through SDN-based service chains, network operators can develop a behavior-based view of network activity, learning and anticipating the “normal” conditions for time-of-day network needs; hosts, users, and applications behaviors; as well as the optimum location for security functions and scaling needs. Security policies can be fine-tuned to these normal behavior profiles and the infrastructure adjusted to expected changes before they occur. Then, when anomalies, security events, or changes in resource utilization occur, the SDN controller can sense and analyze these changes and allocate dynamic countermeasures. If a failure or a compromise does occur, the network can deploy containment or isolation courses of action quickly. In effect, the combination of virtualized network functions and SDN enable a type of cyber maneuver, which is an ACD technique of dynamically modifying aspects and configurations of networks, hosts and applications in a manner that is undetectable and unpredictable by an adversary but still manageable for network administrators.

Software-defined networks are coming to a data center near you soon. Consider adding them to your alternatives to consider for proactively defending your networks as well.

Thanks for reading and keep adapting.