Securing Your Network with the New IP

Date:   Monday , March 14, 2016

Headquartered in San Jose, California, Brocade specializes in providing high quality networking solutions in the areas of storage networking, data center & ethernet fabric routing, and software & campus networking.

The New IP is a modern approach to networking that emphasizes on open, automated, software-defined elements to increase agility and reduce costs while meeting the challenges of the Third Platform. And the great news is that the New IP provides a new way to architect networks that accelerate business changes and growth while maintaining or increasing high levels of security. Old IP networks are highly vulnerable to security attacks due to their relatively static nature as well as the cost and inefficiencies of hardware only-based security. Layered security for defense-in-depth is significantly enhanced with a New IP architecture because security is designed in, not bolted on.

Security Is Designed In, Not Bolted On

Part of the problem with old IP networks is that security is infrastructure-bound, implemented by devices that are deployed at the edge. In fact, security might have been a separate deployment bolted on at the edge of the network (i.e. perimeter security) representing a single point of failure intended to secure the entire network. But in the cloud era in which the data center and networks converge and the lines of demarcation blur (and access becomes increasingly mobile), the concept of the perimeter disappears. There are no boundaries. In theory, all parts of the network need to be security enabled and need to play a role in defending the network against attacks. The New IP allows you to deploy security in this manner so that the network itself can be pervasively vigilant, ensuring the security of both data-at-rest and data-in-flight.

Improve Security with Network Virtualization while Lowering Costs

The cost and complexity of securing the network\'s perimeter presents challenging cost, performance, and security compromises - leaving you to rely on a few security devices deployed at select strategic locations to secure your entire network. Deploying services as Virtualized Network Functions (VNFs) is a simple but powerful approach. This delivers significant OpEx and CapEx savings (up to 90 percent reduction in capital). Because of the cost savings, you now have the ability to distribute functionality more appropriately, and you achieve the same performance of physical implementations with the flexibility of software. Security can be distributed where needed or even one can remove the services when they are no longer needed. This gives you the advantage to truly customize security at various levels - by geography, function, group, individual or by application.

Security & Analytics Applications on an SDN Controller:

Leveraging flow technologies (such as sFlow) and an SDN controller with programming capabilities (via extensible APIs) allows a centralized view of network behavior. It also provides the ability to take action and push policies to the network in real time. This centralized real-time view of the entire network provides a critical capability to recognize and immediately react to security threats within the infrastructure. The elements are self-responding, not polled. With all the elements pushing information automatically, you get real-time visibility into the entire network, not just points in the network. This provides increased sophistication in orders of magnitude and is a stepping stone in the path toward security empowered by machine learning.

Inherently More Secure Fabric Architecture:

A fabric allows the east-west traffic among Virtual Machines (VMs) to be isolated and contained within a single plane instead of transiting through multiple segments of the network. This eliminates the need for traffic to transit from top of rack, to aggregation, to core, and then back up to some other part of the compute environment. This simplified architecture inherently increases security by design. The underlying fabric is also VM-aware. The awareness of the VMs, the number of virtualized services, types of virtualized services, and the behavior of those virtual machines is important in securing those services.

Network Devices Encrypt Data-in-Flight:

A key aspect of data protection is securing data-in-flight. With networks constantly under attack, securing data through encryption is an effective counter measure to ensure data security. In the data center, LAN, and WAN can protect data going across a link. This can be done without impacting performance or introducing the cost and complexity of backhauling traffic to specialized devices. This is especially critical when the network links are not under an organization\'s physical control, such as between data centers, sites, sites and the cloud.

Improved Security through Storage Networking

Any comprehensive cyber security strategy must include the network that provides or denies access to your data: the storage network. The storage network is potentially your last line of defense if perimeter security has been compromised. If you combine New IP security principles with the storage networking best practices of isolating storage traffic (building separate storage fabrics for IP or Fibre Channel), encrypting data, and instrumenting capabilities within the storage network, you will improve your overall security posture.

Storage Replication with Security:

Mission-critical and business-critical workloads are now being replicated between data centers. You need to maintain high levels of performance but also improve data security while the data is in transit. Since data is the most important enterprise asset and a key target of cyber attacks, you need to encrypt closer to the storage fabrics.

A new IP architecture and the enhanced security it creates, best practices and key capabilities in storage networking are essential to support a broader move to the Internet of Things, the cloud, and digital business models.

Applying New IP principles of security is an evolution, not an overnight transformation. But the good news is that your evolution can start today, along with that of the many organizations already using the proven technologies, products, solutions, and implementations to secure the network.