Story image

Exclusive: How to intentionally build security into a network

24 Aug 18

Article by Apstra engineering vice president Manish Sampat

Intent-based networking (IBN) allows network designers to specify intent, and then configure the network to operate according to the intent specified, and set expectations for its operation.

IDC telecom and carrier IP networks research director Rajesh Ghai says IBN is a closed-loop continuous implementation of several steps through automation:

  • Declaration of intent, where the network administrator defines what the network is supposed to do
  • Translation of intent into network design and configuration
  • Validation of the design using a model that decides if that configuration can actually be implemented
  • Propagation of that configuration into the network devices via APIs
  • Gather and study real-time telemetry from all the devices
  • Use machine learning to determine whether desired state of policy has been achieved. And then repeat.

When it comes to security, the key aspect is that an IBN management software layer continuously monitors the network and ensures network operation is compliant with the specified intent and thereby meets the operator’s expectations.

Expectations are representations of network state expressed as telemetry from network elements.

For example, interface status, MAC addresses, ARP information and route information are some examples of raw telemetry that is collected from network elements.

Since the network is represented as a graph by the IBN management software, applications can use graph queries to get network state information.

In order to ensure that the network operates in compliance with the specified intent, the system collects telemetry from network elements and detects anomalies and processes anomalies (remedial action) using the specified handlers.

When there is a variation between the state and the intent, the handler raises the appropriate alarm.

If the variation indicates an imminent hard-drive failure, raise the alarm to IT.

If the variation indicates that an entity is making inappropriate DNS calls or port scans, the handler alerts the security information and event management (SIEM) system.

Once a network operator has specified intent on the system, the IBN operates the network for the user – and if the intent contains security parameters, those will be baked into the design.

For example, intent and expectations might be, “Build a network with 25 racks and 20 servers in each rack with 10G links and 2:1 oversubscription. Ensure there is no ssh or ftp activity between a set of servers. Trigger alerts and deny access if there is a traffic burst from any server that violates the standard deviation of the “tx bytes” by 30%”.

The system will build a reference design, and once deployed, the network will set up expectations based on the intent and trigger alerts and remedial actions, as specified.

Anomaly denied

An IBN should be able to specify intent based on network element artefacts like NOS version; patch level for software on switches, routers, or other devices; or other custom artefacts.

Once those expectations are specified in the IBN, any deviations will be tracked and reported as anomalies with associated remedial action, take the device offline, send an alert or trigger a patch update.

This is key in today’s environment where keeping network devices updated to have the right level of software and vulnerability patches is critical to network security.

What makes an IBN a secure system is its ability to specify intent and monitor for variations in the execution of that intent, in the same system.

For example, an IBN provides built-in services that collect raw telemetry from network elements (e.g. MAC addresses, ARP tables, route tables, etc.), sets up expectations, and then monitors the state of the network based on the collected telemetry.

IBN allows users to specify several security constructs for network activity in a data center network that is typically behind a firewall or in a secure zone.

For example, an IBN can facilitate detection of lateral movement inside the network, detect traffic flows that should not be present, movement of MAC addresses, interface statistics, and so-on.

An IBN can handle complex security tasks easily.

Since an IBN creates the network reference design and ensures operation of the network, it has the context to be able to respond to various questions about the network (regardless of the complexity) in the presence of constant change.

This is a huge shift in the way networks are monitored.

When IBN management software contains built-in analytics capabilities, network operators can aggregate raw telemetry from network elements, and supports analytics constructs like thresholding and pipelines of data across processing stages.

Intent-based networking offers an opportunity to design security objectives right into a complex network. 

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.