Blog

Secure Full Visibility for Large Multi-Site Networks

Yigal Amram By: Yigal Amram April 10, 2018

Whether we're talking about enterprises, telecommunication companies or Multi-System Operators (MSOs), network and security engineers need to deal with the increasing demands of their growing networks.

As these networks grow, they start to contain many separate segments which can exist across multiple regions, countries or continents. This adds to the complexity of the network in question, increasing the difficulty of maintaining network visibility and security. Gartner recognizes how challenging dealing with this complexity can be, with every 25% increase in functionality of a system resulting in a 100% increase in complexity.

This increase, in terms of network growth, is also why there is a greater need for security appliances such as firewalls, Data Loss Prevention Systems (DLPS), SSL decryption and malware detection. These solutions can be both inline (within the physical network itself) and out-of-band (outside of the network that is designed only to receive traffic), and aim to improve network visibility as the network size grows. Whichever of these options you choose to implement, it can become expensive and inefficient to purchase dedicated network security appliances for each segment of your network.

Another issue that you will need to address is how your security devices handle the increasing amount of network bandwidth. Whether your network grows to 10G, 40G or 100G, you will need to ensure your security devices are ready to deal with the increasing amount of bandwidth. Again, most network and security engineers tackle this issue by purchasing more network security devices, but this can work out to be quite expensive and difficult to manage.

But what if there was another approach to this problem? What if you could make optimal use of the resources you have available to you, regardless of their physical location in the network, to improve the visibility and security of your network? This sounds like a pipe dream, but it is entirely possible to achieve this using a visibility platform based on Software Defined Network (SDN).

What is an SDN?

An SDN is an alternative to hardware-managed networks. Instead of relying on physical devices to control and direct your network traffic, network administrators can make use of software to manage network traffic.

An SDN allows you to make changes to your network through a centralized tool, which helps save numerous hours where you would normally need to configure each device on the network. There are a number of benefits of SDN for visibility, including the ability to:

  1. Reach and access all the security appliances.
  2. Mitigate downtime in the network through risk assessment.
  3. Manage costs of security, monitoring and performance appliances across multiple locations.

Visibility and Security in Large-Scale Networks

An SDN controller is able to communicate with all the elements of a network, whether they're involved with security or network management, and regardless of their physical location. This is thanks to an open architecture called OpenFlow.

OpenFlow is used by all SDN controllers, whether it’s supplied by a specific vendor or a customized controller. OpenFlow exists in the control or management layer of the network.

This control layer is connected to the physical layer, which is made up of the different hardware devices and network links. This configuration allows a network administrator to see almost every point in the network, creating a flat environment and helping eliminate blind spots. It also allows a network administrator to take advantage of traffic intelligence.

What is Traffic Intelligence?

When a typical network visibility has been set up, a network administrator will create policies to be applied as rules for each element of the network. Since these elements function based on policies, it is viewed as a static approach to network management.

When you make use of SDN technology, you can open the infrastructure to increase visibility through traffic intelligence. For example, when a network administrator has seen an increase in the distribution of malware through emails. The SDN controller can be used to notify the Intrusion Detection System (IDS) that all email traffic needs to be analyzed. The IDS is able to perform network traffic analysis, identify all email traffic and capture all of it so that it can be sent to an available monitoring tool on the network. This part of the process all happens automatically, thanks to the intelligence that is built into the controller, the visibility elements and RestAPI. This dynamic, automated management of network traffic is called traffic intelligence.

This is a massive advantage for many network administrators, for a few reasons:

  1. Network administrators, who would normally need to manually create rules for these processes, drastically reduce the amount of time spent configuring devices — thanks to the built-in functionality.
  2. They avoid situations where devices are wasting resources performing tasks they don't need, simply because it is a blanket rule that is applied to all traffic. The network is able to perform network traffic analysis and identify the relevant traffic automatically, so devices aren’t tied up performing unnecessary tasks.
  3. It reduces the need for high-end security devices which, even under perfect circumstances, cannot be expected to analyze all of your network traffic.

Traffic intelligence is not only applicable to security. It can also be used for traffic prioritization. For example, the SDN can be configured to ensure that all VOIP traffic is given the highest priority to ensure quality, uninterrupted calls on your network. This is also applicable to other realtime services such as video conferencing, or other collaboration tools.  

Traffic intelligence dynamically allows traffic to be redirected to where it needs to be, without any need for human intervention.      

Maximize Appliances in Distributed Network Architectures

SDN in visibility doesn’t only allow you to automate many processes, but also allows you to shift data from one location to another as necessary, or to replicate it and move the replicated data as necessary.

For example, if you need email traffic to be analyzed but there is no monitoring or security device available on the relevant segment of the network, it can be moved to another segment where the appliances are available. This improves the cost effectiveness of your network appliances through intelligent use of the devices that make up your distributed network.

This is all possible thanks to SDN controllers that make managing network traffic in a large network very simple.

Summary

These are the ways that an SDN can assist you with increasing visibility on large-scale networks with multiple sites.

Traffic is distributed across multiple security and monitoring appliances based on intelligent central policies engine. Optimize fabric flows across the network to meet KPI’s, capacity and performance matrix. Enhance the security platform by sharing inline, out-of-band and other tools across the network.

For more information on how to reduce blind spots on your network, visit our resources page to gain insight on network visibility. You can also contact Niagara Networks to arrange a consultation with one of our visibility experts.

A Guide to Cost Effective Network Visibility