In our last blog, Network Segmentation: Segregating Traffic in the dying age of Perimeter, we discussed the importance of network segmentation at a granular level using modern era segmenting solution which can allow each segment to scale without compromising on enterprise network security. Here we discuss how intent based segmentation can help simplify enterprise private networking.
Protecting the end points – That’s what Matters
“Our discussions with numerous CIOs, CISOs, and IT engineers show that there are two end points of modern enterprise application communication, and unless we deploy protection and detection mechanisms for these two, the network security problem cannot be solved. The fact that we are having these discussions of course underlines the fact that there is no more disagreement in the industry about why the network firewall exists, and why there is a lot more to do for security than just a firewall.”
Shyamal Kumar, CEO of Lavelle Networks
The first end point is the combination of device, user, credentials, and the application client (most often an app or browser) and the second being the application server cloud or web service or micro-service. Enterprise networking teams are challenged to securely connect the modern era business ecosystem – devices, applications, users, and systems. It’s becoming critically important to ensure security between each endpoint. Using a traditional firewall and routing in today’s dynamic cloud ecosystem poses a significant threat to network security.
This growing need to secure endpoints necessitates changes in the way we segmented traffic traditionally. Using advanced network segmentation techniques like micro-segmentation, each individual segment is segregated further down at the application and the user levels. Segmentation extended at the edges of the network and is maintained across an enterprise network securely. So how to implement network segmentation? Enterprises use various network segmentation methods. Few common network segmentation methods in enterprises are
1. Implementing gateways between network with security measures using varied technologies at different layers. For example
- Routers or layer 3 switches divide an enterprise network into smaller network segments to restrict traffic flow using measures such as access control lists (ACL).
- Using virtualised routing and networking protocols- Virtual Local Area Networks and Virtual Routing and Forwarding to segment enterprise network
- The use of virtual machines, containers and virtual functions to isolate network activities for trusted traffic or unreliable traffics.
- Managed Security groups, Virtual Switching, and Cloud Services used to segment applications, data and services.
2. Using IPsec to isolate Domain and Server.
3. Using Encryption and Logical unit number masking to establishing storage based segmentation and filtering.
Enter Networks Groups
Network Groups is a Lavelle Networks network segmentation abstraction that simplifies the configuration and management of network segregation. Network Groups allow IT teams to achieve network segmentation for any kind of private networks using intent driven user interface, and fast REST API based transactions. It hides all the network protocol complexity from the user, allowing an unprecedented speed of control operations. IT administrators can control to connect/disconnect users, locations, applications within seconds.
Network Groups is realized as a simple drag-and-drop configuration to add and remove members/sites from and to a network. Network Groups are used to implement a software-defined Group Virtual Private Network (Group VPN). Group VPN implements aggressive encryption keying that is centralized and programmed from the SDN Controller (CloudStation). The controller generates the encryption key based on the encryption policy and the re-keying interval. The key is generated and is pulled by every CloudPort which has one or more of its LAN segments that are part of the Network Group. Network Groups construct allows specifying the topology (next-hop type), network encapsulation mode, VPN security profile and its associated parameters, policies at network level.
Network Groups allow the creation of dynamic tunnels at run time between networks across sites. The solution uses no static overlay tunnels that make it a highly scalable network that can cater to 10s of 1000s of networks in a single segment. A dynamic tunnel is established at runtime based on a policy defined in the CloudStation. The system does not use routing on the WAN side. The limitation of the number of routes like in a classical routing based VPN does not apply here. The system supports upto 4000 network segments with a single controller instance. Configurations that can be done for a network group are defined as follow –
Next Hop Type
1. Hub – Identifies the topology as Hub-and-Spoke. A CloudPort should be indicated as a Hub.
2. Resolve – Identifies the topology as peer-to-peer, wherein the CloudPort queries the CloudStation to determine the Next Hop and Encapsulation Type.
1. UDP (LNTUN) – Lavelle Networks proprietary UDP tunnelling
2. GRE – Standard GRE encapsulation allows interoperability with other devices that support the same protocol.
3. IPSEC – A group-key based secure IP VPN. A security profile that specifies the authentication and encryption modes is associated with this mode.
This permits Internet access at the site for a Network group. Network Group is one of the three policy attachment points.
ScaleAOn – What’s in the name?
While looking at various different ways to build our next generation network product architecture, back in 2016, it became evident to us that there are two big challenges our solution is going to solve for our customers:
- Let them scale their business without worrying about their networks
- Make their network like electricity, flip a switch, it’s always on until you flip it off. Turn on our products, they are going to keep the network Always on.
Thus, network groups became – ScaleAOn, networking at Scale, Always ON.
“Building great networking software is hard. Picking a name was actually the easiest part. We waded through multiple technology alternatives and created what is now working so well, that customers don’t realise they even use our SD-WAN. Quiet, invisible, always on.”
Shyamal Kumar, CEO of Lavelle Networks
The fundamentals of ScaleAOn are:
- Network control plane communication over fast REST APIs, rather than out-of-date methods like protocol handshakes.
- A 100% SDN forwarding plane composed of loosely de-coupled tables, which can be re-programmed into any combination of access control lists, policies, route lookups, tunnel encapsulations, path selections, NFV service chains. Within milliseconds, the life of a packet can be changed to adapt to the network condition out on the WAN.
- An Intent driven configuration framework that does not need persistent old school transport connections like SSH, and therefore the control plane can fail over to the right WAN path even before it loses a single transaction.
- Zero errors in creating network segments, because of our visual aids in the user interface, which do not need a single line of actual network interface configuration while creating a VPN or WAN topology.
- A network naming scheme which produces logical identifiers for every single private subnet in your network, without having to remember the IP addresses ever again.
- Treat encryption as a security policy, instead of complex IPSEC IKE configuration methods on classical routers.
- Make encryption key generation so easy, that you don’t need to know anything about encryption to use it on your network
- Make it so hard for non-enterprise traffic to enter or exit through your Internet WAN, that intruders will give up and try other easier to breach solutions.
- Optimise the entire network path computation around the real problem, which is network congestion.
- Total de-coupling of packet I/O, network forwarding, application inspection, network services so that a failure in any of them only degrades the service, but does not cripple it to stop traffic.
If ScaleAOn piques your interest, the above mentioned blogs might be valuable to you. Check them out, and as always, feel free to contact Lavelle Networks with any questions.