In our last blog, Network Segmentation: Segregating Traffic in the dying age of Perimeter, we discussed the importance of network segmentation at a granular level using modern era segmenting solution which can allow each segment to scale without compromising on enterprise network security. Here we discuss how intent based segmentation can help simplify enterprise private networking.
“Our discussions with numerous CIOs, CISOs, and IT engineers show that there are two end points of modern enterprise application communication, and unless we deploy protection and detection mechanisms for these two, the network security problem cannot be solved. The fact that we are having these discussions of course underlines the fact that there is no more disagreement in the industry about why the network firewall exists, and why there is a lot more to do for security than just a firewall.”
Shyamal Kumar, CEO of Lavelle Networks
The first end point is the combination of device, user, credentials, and the application client (most often an app or browser) and the second being the application server cloud or web service or micro-service. Enterprise networking teams are challenged to securely connect the modern era business ecosystem – devices, applications, users, and systems. It’s becoming critically important to ensure security between each endpoint. Using a traditional firewall and routing in today’s dynamic cloud ecosystem poses a significant threat to network security.
This growing need to secure endpoints necessitates changes in the way we segmented traffic traditionally. Using advanced network segmentation techniques like micro-segmentation, each individual segment is segregated further down at the application and the user levels. Segmentation extended at the edges of the network and is maintained across an enterprise network securely. So how to implement network segmentation? Enterprises use various network segmentation methods. Few common network segmentation methods in enterprises are
1. Implementing gateways between network with security measures using varied technologies at different layers. For example
2. Using IPsec to isolate Domain and Server.
3. Using Encryption and Logical unit number masking to establishing storage based segmentation and filtering.
Network Groups is a Lavelle Networks network segmentation abstraction that simplifies the configuration and management of network segregation. Network Groups allow IT teams to achieve network segmentation for any kind of private networks using intent driven user interface, and fast REST API based transactions. It hides all the network protocol complexity from the user, allowing an unprecedented speed of control operations. IT administrators can control to connect/disconnect users, locations, applications within seconds.
Network Groups is realized as a simple drag-and-drop configuration to add and remove members/sites from and to a network. Network Groups are used to implement a software-defined Group Virtual Private Network (Group VPN). Group VPN implements aggressive encryption keying that is centralized and programmed from the SDN Controller (CloudStation). The controller generates the encryption key based on the encryption policy and the re-keying interval. The key is generated and is pulled by every CloudPort which has one or more of its LAN segments that are part of the Network Group. Network Groups construct allows specifying the topology (next-hop type), network encapsulation mode, VPN security profile and its associated parameters, policies at network level.
Network Groups allow the creation of dynamic tunnels at run time between networks across sites. The solution uses no static overlay tunnels that make it a highly scalable network that can cater to 10s of 1000s of networks in a single segment. A dynamic tunnel is established at runtime based on a policy defined in the CloudStation. The system does not use routing on the WAN side. The limitation of the number of routes like in a classical routing based VPN does not apply here. The system supports upto 4000 network segments with a single controller instance. Configurations that can be done for a network group are defined as follow –
1. Hub – Identifies the topology as Hub-and-Spoke. A CloudPort should be indicated as a Hub.
2. Resolve – Identifies the topology as peer-to-peer, wherein the CloudPort queries the CloudStation to determine the Next Hop and Encapsulation Type.
1. UDP (LNTUN) – Lavelle Networks proprietary UDP tunnelling
2. GRE – Standard GRE encapsulation allows interoperability with other devices that support the same protocol.
3. IPSEC – A group-key based secure IP VPN. A security profile that specifies the authentication and encryption modes is associated with this mode.
This permits Internet access at the site for a Network group. Network Group is one of the three policy attachment points.
While looking at various different ways to build our next generation network product architecture, back in 2016, it became evident to us that there are two big challenges our solution is going to solve for our customers:
Thus, network groups became – ScaleAOn, networking at Scale, Always ON.
Shyamal Kumar, CEO of Lavelle Networks
The fundamentals of ScaleAOn are:
If ScaleAOn piques your interest, the above mentioned blogs might be valuable to you. Check them out, and as always, feel free to contact Lavelle Networks with any questions.