Delivering the Open Network Advantage

SD-WAN »

What is SD-WAN

SD-WAN brings the advantages of software defined technology to wide area networks.  Enterprises are investing in flexible, open cloud architecture and want to extend these benefits to the connections between data centers that are separated by distance, and to connections between headquarters and branch offices.  SD-WAN moves network control to the cloud, centralizing and simplifying WAN management without new or proprietary hardware.

Why SD-WAN

SD-WAN offerings improve connectivity and security.  Centralizing WAN control through software allows traffic direction over unused links to share total network bandwidth across endpoints.  WAN security can be managed more simply with seamless, centralized policy that includes automation, orchestration, verification and remediation to detect and address issues early.  SD-WAN replaces reliance on expensive proprietary routers, custom built ASICs, and can provide independence from reliance on a single carrier or provider.

Network Design Matters

SD-WAN providers integrate SD-WAN architecture through a variety of designs.  Advanced automation and change control solutions use existing hardware to minimize cost and can include advanced functionality.  Appliance-based overlay solutions create a virtual IP network between vendor-proprietary appliances.  Controller-based solutions auto-configure standard architectures to simplify management.  Each of these design types varies in cost and benefits but they all provide software-defined traffic routing and security.

SD-WAN Future

Enterprises are embracing software-defined WAN management to reduce costs, increase security and centralize administration.  Technology providers are enhancing functionality to include additional optimization for security, VPN, NaaS and application policy control.  Transition to SD-WAN will expand over time to meet the growing need for WAN bandwidth, advanced functionality and cost-saving independence from proprietary vendors.

Hybrid Cloud Network »

Hybrid Cloud Architecture for a Secure, Flexible Network

The benefits of migration to hybrid cloud infrastructure for lowered cost of ownership and increased network flexibility are quantifiable and undeniable.   According to IDC, over 65% of IT enterprises will have adopted a hybrid cloud configuration by the end of this year.  Nine out of ten IT decision makers see hybrid as critical to digital business.  Cloud vendor sales are growing 50% per year.  Extending your private cloud to utilize the flexible virtualized resources in the public cloud can reduce private cloud infrastructure costs, reduce the impact of a single point of failure, and improve global availability.  Hybrid clouds can also increase varied workload performance with scaling or cloud “bursting” to meet spikes processing demand.  But what security challenges, design and vendor concerns should you consider before moving to or expanding your hybrid cloud?

Securing the Hybrid Cloud

Private network clouds ensure local control over sensitive data and resources but require expensive continual investment local hardware, software and IT management at the level to support maximum demand.  Public clouds are ideal for email, social media and the hundreds of officially and unofficially IT-sanctioned applications in demand by users.  The optimal configuration might keep sensitive data and applications in the private cloud while allowing for users to access applications and processes in the public cloud.  In the age of software defined everything and “bring your own device” local networks, it is impossible to safeguard only at the network perimeter since connecting to the public cloud essentially eliminates the perimeter.  Security in a hybrid on and and off-premise environment relies on continuous visibility and network segmentation at every network layer.  Software defined automation capabilities built into a hybrid cloud can allow for sensitive data such as medical records or customer payment data to be maintained and accessed only according to data-specific security compliance rules.  Proactive security planning and careful use of visibility and security tools can mitigate hybrid cloud security concerns.

Loss of Control and Hybrid Cloud Availability

The economic benefits of using the shared cloud resources cloud are driving hybrid cloud model to be the dominant architecture for the foreseeable future.  Most organizations can benefit from off-premise storage backup, email or data processing applications.  Financial trading requires local data but can benefit from local off-premise processing.  Global online retailers need to protect customer data but can collocate resources for seasonal and sale-driven demand.  But what happens when your cloud vendor’s service has availability issues?  Cloud vendors are scrambling to proactively prevent outages and enterprises can develop contingencies through multiple vendor contracts that reroute traffic when necessary.  IT fear over lost network control can be addressed with detailed planning.  Dashboards to manage visibility reporting and automation tools are evolving that will soon mitigate the impact of the rare cloud availability issue.  IT will be able to prepare for and gain virtual control over cloud resources.  The increased agility and lowered costs from some level of cloud utilization will justify the additional complexity of heterogeneous network management.

What’s next for the Hybrid Cloud?

Hybrid cloud has evolved to meet ever-increasing demands for data and applications.  As cloud and networking vendors race to make hybrid environments more secure and available, your configuration design will be driven by your functionality priorities.  The appropriate balance of spending on private vs. public cloud will be determined by each organization’s unique needs and sensitivities.  Cloud technology leaders include Amazon, Microsoft and VMWare, each with a varied suite of network visibility and management solutions.  Networking technology providers such as Fortinet, Silver Peak and A10 are industry leaders in building additional security and availability into the hybrid cloud network.  For an expert assessment and recommendations for best technology available to meet your needs, the expert networking professionals at Terrapin Systems can help you build or grow your powerful, secure and flexible hybrid network.

Network Segmentation »

Network Segmentation for Enterprise Network Security

Cyber-criminal access to your company’s sensitive data is a significant CEO concern. Security breaches like those at Target, Home Depot and Community Health Systems are in the headlines daily and demonstrate that traditional methods of preventing unauthorized access are insufficient in today’s environment. Requirements for cloud applications and services, workforce mobility and dynamic user access through personal devices is driving the need for network segmentation or “zoning.” As the perimeter of a corporate network becomes more difficult to define and protect, threat mitigation and intruder isolation must be a critical component of a comprehensive network security strategy.

Why Segment Your Network?

Network segmentation improves security by making it far more difficult for a network intruder to reach high value data assets such as credit card information or health records. When implemented properly, intruders are identified during propagation or lateral movement through the network, alerts are triggered, an audit trail identifies the compromised access point and path, and the segment is isolated from the rest of the network. Segmentation helps to prevent unauthorized access to sensitive information and minimizes breach impact. Zero trust boundaries can protect critical data, resources or intellectual property. Segmentation can even improve performance by reducing local traffic and is becoming more powerful with the evolution of Software Defined Networking (SDN).

How to Get Started

Topology-aware network segmentation requires an initial and ongoing effort to understand the instances of communication between network devices and users that are necessary to support efficient business operations. Segments are defined by business need, either by department or function. Communication between devices is managed through a strict ruleset. Before implementing, study the paths of revenue and information throughout your network, including all access points and back-end management, users, applications and devices. Segmentation can create demilitarized zones (DMZ) and gateways between subnetworks based on security domains using multiple methods that include network and host firewalls, separate physical links and systems, traffic flow and content filters, Network Access Control, and user or service authentication and authorization.

Segmentation Design Basics

Network Segmentation design should be thoroughly based on the principles of need-to-know and least privilege. Access should be defined by whitelisting instead of blacklisting. Segmentation should be considered every network layer, from application to data link layer. Segmentation design should separate information and infrastructure. Security requirements need to be defined for each user and device for all type of business-justified communications. Issue separate security credentials for users or services, and use multi-factor authentication for sensitive users and services. Filtering should include logical access restrictions (network layer, state-based, and port or protocol), authentication and application layer communications. Implicit trust relationships should be minimized and each side of trust should authenticate the other. Logging, auditing and alerts should be automated when possible to immediately isolate intrusions and prevent future breaches.

Typical Segment Scenarios

Many segmentation efforts begin by segregating departments such as Finance, Human Resources, Network Administration and Executive Management as separate sub-networks. Related devices such as routers and switches can be segregated, as well as VPNs and VoIP. Government networks may require physically separate segments while enterprises utilizing virtualization define multiple zones on a single device. Third party access should require different administration passwords to reduce threats via compromised partner networks. Sensitive data may require policy-compliant protection such as PCI-DSS for credit card data or HIPAA for patient data. Critical resources suggest separate zones with separate security access rules. In all cases, the guiding principle of “never trust and always verify” requires that traffic between segments should be blocked if there is no business need.

Network Segmentation into the Future

The ability to prevent the PR damage and customer goodwill lost from a single massive data breach more than justifies the effort required to understand your network design and business needs. Technology providers including Juniper, Fortinet, Microsoft, VMWare, Pluribus, and Palo Alto Networks are paving the way. Even virtualized data centers with cloud infrastructure can even benefit from micro-segmentation, the ability to control and filter traffic between any two endpoints. But once implemented, network segmentation must be maintained on an ongoing basis, not just revisited at times of audit or breach. The protective effects of network segmentation on enterprise reputation is a strategic corporate asset that will be increasingly be recognized by security-aware executive management, shareholders and customers.