Is it possible that more than 90% of companies tell me they plan to spend more on security in the next three years, while almost 60% expect to spend less on network technology? It is obvious that network technology has become more efficient and more competitive.
Why isn’t security the same? Short answer: Security has been about chasing acronyms, not finding solutions. Because security is difficult to plan for, acronym-chasing can occur. An average network expert discovers there is a problem when they hear about it from someone higher up. Perhaps they search for SASE. Maybe they just need SE, which is SASE with SD-WAN. In any case, there is pressure to add another layer of protection. Cost and complexity? Surely.
It’s bad to chase acronyms, but the new security equation may have a lesson: SSE equals SASE plus SD-WAN. Maybe the minus-SDWAN part is the problem. Security costs and complexity are high when we don’t allow the network to play a role in our protection. We actually have the know-how. It actually leverages networking’s basic property of addressing.
If you don’t address the connections, then you won’t be able to have them. Hacking is as easy as hacking. It’s no surprise that networking is all about addressing. Although tools such as IP private IP addresses and (yes!) virtual networks, and software-defined WANs are readily available, they are not always used effectively.
VPNs can reduce the risk of intrusions
Let’s begin with VPNs. Statistics show that there are very few enterprises that don’t use IP VPNs in any form. An IP VPN is an example of what was once called a closed user community. This group of addresses can communicate freely but are not allowed to access the internet unless they are exposed. All VPN users can connect to other VPN users. Private IP addresses can be used to isolate specific users/applications, even within the company. Although VPNs offer excellent protection against outside intrusions, they do have one problem: small sites.
MPLS VPNs can be expensive and are not always available in remote areas. These sites are often required to connect to the internet. This can expose applications and increase the risk of hackers. SD-WAN reduces this risk by including any site that has internet access to the corporate VPN. Hacking in from outside is not the only threat. Most security issues today are caused by malware installed on company computers. The malware can then work its evil ways from any location that is already connected to the VPN.
Private IP addresses are one thing that could help. Because virtually all home networking, as well as a lot of branch-office networking, are based on private IP addresses, we use them every day. A number of IPv4 addresses and IPv6 addresses are reserved for private subnetworks such as your home. These addresses can be used within the private subnet just like any other IP address but cannot be routed to the internet. This means that an IP address with a private key cannot be reached by anyone outside of the subnet.
Container networking is a common use of private IP addresses. They are used to break down a data center into specific pieces for each application. Application components that can’t be accessed by any other components are protected. You have to make a component available to the internet or through your VPN to make it accessible. Enterprises can create their resource pools by using private IP addresses.
This will ensure that all “interior” parts of the application are removed from the attack surface. Security can then focus on the components that are available for use. This is a great security strategy but it’s not perfect. There is one last tool that networks can use to their advantage, which we have already discussed.
Ipsilon, a startup that was founded decades ago, created a model for an IP network in which edge devices detected persistent flows and mapped them into virtual circuits. This idea was intended to encourage ATM use (remember that?). Although it didn’t take off immediately, it was one of those forces that led to MPLS. To add an additional dimension to network-based security, we can use the concept of persistent flows.
SD-WAN and virtual networks can offer network security
A persistent flowing is an end-to-end connection between two things that lasted at least for a while in an IP network. The majority of our programmers communicate through sessions, which can be recognized by looking at the packet headers. The good thing about that is that you can tell there is an application running if you know what a session is. You can enable the good and prevent the bad if you know who is running it or trying to run it, and who is authorized to operate it.
Session awareness is a feature that some SD-WAN and virtual network products and services have, and it can bring a vital set of new network security capabilities. The SSE devices that are now under development can occasionally add session consciousness, but only as one of those annoying layers of protection, not even as a component of the network itself.
A data center or collection of cloud applications that may communicate freely with one another is a good breeding environment if you’re a hacker installing malware to worm into things. A hacker would need to do more than just install malware on a system; if there are restrictions on who is permitted to communicate with a crucial Programme, they would also need to install it in a system that has the authority to communicate with their target. Security has been enhanced because it is difficult to even guess which systems they could be.
The plan is not without flaws, of course. Enterprises must invest the time necessary to establish precise policies regarding who and what can be connected in order for it to function. Does managing a large number of security layers take additional work? more than addressing a security breach that was avoidable? Consider this.