In campus networking, there are a number of emerging trends impacting the way networks will be modeled in the future. These arising trends include mobility, Internet of Things (IoT), and uniformed security across the wired and wireless connections.
To be in tune with these trends, a new era of networking is required that enforces policy-based automation from the edge of the network to public and private clouds using an intent-based paradigm. An example of such would be SD-Access.
Intent-based networking is all about informing the controller about the end goal and allowing the controller-based network to figure out the low-level device and configuration details. This is similar to how the general packet radio service (GPRS) works. The user inputs a destination and the software calculates the best route, taking into consideration the parameters abstracted from the user.
Intent-based networks satisfy a number of elements ranging from access control to quality of service (QoS). For example, an administrator wants to make sure that a lighting device is restricted to communicate outside its segment or apply the best possible quality of service (QoS) configurations to the CEO group regardless of where they are located.
The traditional campus networks used to include only the company-owned devices. In contrast, nowadays the networks consist of a range of devices such as bring your own device (BYOD) and intelligent wearables to name a few.
It is believed that the average user will bring 2.7 devices into the workplace, thereby, requiring access to corporate systems in the cloud and to the application workloads in private data centers. Today, users require seamless mobility across all devices, while still retaining the same level of security and access control. At the same time, corporate policy and compliance should not be compromised.
Corporate IoT within the campus consists of all the things you would find in an office building ranging from connected lights to card readers. Challenges surface as to how one enforces impassable security amongst these devices.
The majority of attacks within the last 12 months have involved some kind of insecure IoT device. Usually, the device has not been managed or procured by the I.T department, which results in a security leak. In some cases, the infected IoT device has direct access to the Internet or corporate network, which breeds malware and hacking.
One such recently publicized attack known as the fishbowl caused a data exfiltration event. The unsecured IoT device allowed the hacker to swipe 10 gigabytes of data from a North American casino. There was a sensor on a fishbowl that was monitoring the temperature of the water. A threat actor compromised the sensor to move laterally around the network accessing critical assets. Remember, hackers don’t need to be resourceful, with the availability of easy to use hacking tools. They keep looking for any tiny opening to infiltrate in the network.
In this day and age, the majority of networks are converged, and no network can be 100% secure. Due to the foundations built without security in mind, attacks will eventually happen. Your network will get compromised, it’s just a matter of when. However, by segmenting the network, administrators can limit the attack blast radius. Segmentation ensures that the compromised host cannot beachhead from that segment.
The issue of segmentation has been around for years. However, the traditional tools used for segmentation are not adequate considering today’s networks that need to support mobility, IoT, and consistent security among wired and wireless connectivity.
The majority of networks use virtual LANs (VLANs) for segmentation. However, VLANs along with other protocols, such as spanning tree protocol (STP) were not designed with security in mind. Segmentation was not the purpose behind the introduction of VLANs. There were created in the 90’s to divide broadcast domains. Each VLAN is an individual broadcast domain and separating VLANs divides broadcast domains. However, over time the administrators transitioned to use VLANs with access control.
Administrators would associate a VLAN with an IP subnet to enforce subnet control. Eventually, as the networks grew in size, VLANs failed to match with the expanding size. Access control lists (ACLs) made their mark by reaching millions. Besides, the policies enforced based on IP address are rigid and lack flexibility.
Management is another major issue. Networking is complicated; therefore, you need a skilled workforce. It is estimated that 60 billion dollars is spent globally just keeping the lights on. The majority of networks are still command-line interface (CLI) based with limited or no automation, which brings a serious challenge. As every network is a unique snowflake, operations become a burden. Vendors can float the most advanced segmentation techniques into the network but unless it is easy to consume and deploy on the touch of a single button, it won’t get adopted.
Controller analytics engine
If you expect a controller-based architecture to be pervasive in campus networks, you need the controller to be fully automated. The issues of monitoring and troubleshooting should be effortless.
The problem is, we are using technologies such as Syslog & simple network management protocol (SNMP) and Netflow to do the monitoring and troubleshooting. Again, these are the technologies that were created 30 years ago. We need to get over SNMP as a means to monitor networks. SNMP operates with a pull model that creates challenges with the central processing unit (CPU) utilization amongst others.
Today’s networks critically need a controller big data analytics engine, operating via a push model that can accumulate and manage data from all devices. It can then offer insights, and going forward predict things as they happen, to enter into the world of self-healing networks.
The way forward – macro & micro segmentation
VLANs are a single flat layer segmentation paradigm. Considering today’s campus networks, we need to make this flat layer paradigm into a two-layer paradigm. This can be achieved by introducing virtual networks (VN), also known as macro segmentation.
Virtual networks in the campus are analogous to virtual routing and forwarding (VRF). Virtual networks provide segmentation at the forwarding layer. This is essentially what a VRF does. How you define segmentation is based on the organization’s structure and line of business. For example, in healthcare, you can have health insurance portability and accountability act (HIPAA) complaint doctors in one VN and the non-HIPAA compliant members in another.
VNs, by definition, cannot communicate with each other and any cross-VN-communication should go through a stateful firewall. A stateful firewall monitors the state of active connections and also the characteristics of network connections traversing it. The Virtual Extensible LAN (VXLAN) is used to create the macro segments (VN)
If you want to go one step further, secure group tags can provide what is known as micro segmentation. We further embed the micro segments within the VN. Filters then can be defined between the micro segments.
Extensions are needed in VXLAN, which are known as VXLAN Group Policy Option (VXLAN-GPO). This defines the way to embed a micro segmentation tag within the VXLAN headers. Macro and micro segmentation is the segmentation at the data plane. Let’s examine the control plane.
The control plane – Locator/ID separation protocol (LISP)
Now since the data plane forwarding has been taken care of, we need a good control plan to distribute information across the large campus network.
Border gateway protocol (BGP) is a distributed state protocol. It works well in the data centers but not in the campus networks where over 60% of the network is wireless. The users are moving all the time from one AP to another AP and from wireless to wired networks. The end host’s moves are usually addressed with /32 but BGP does not deal well with frequent moves in this way.
In this case, LISP is a much better option forming the perfect marriage between control and data plane. LISP is a demand-based protocol that works similarly to domain name system (DNS). It brings the advantage of routing based not only on the IP address and uses a centralized control plane.
Advances to wireless
Traditionally, wireless was an over-the-top network, using control and provisioning of wireless access points (CAPWAP). However, a technology is needed for wireless that uses VXLAN tunnels and the overlays that begin at the access point. Therefore, instead of doing CAPWAP for data plane, VXLAN is used for the tunneling.
Considering the demands of time, we have to change the way wired and wireless work together. If you are carrying user group tag information, you have to carry it in the same way, regardless if the user is on an AP or a wired switch. The tag should not change based on the medium of getting on to the network.
Wired and wireless are just different ways of getting onto the network. The user itself does not change. This is known as identity-based segmentation. The user is identified based on the user profiling capabilities. Therefore, once the user is assigned a profile in the form of a tag, regardless of where that user moves, that tag is still there.
The next significant challenge is how to secure group-based policies distributed across all campus networks. The security needs to extend across the wide area network (WAN) to both public, private and multi-cloud scenarios. The ability to furnish all the advanced WAN capabilities such as path selection, and encryption, while still extending consistent group-based policies.
This article is published as part of the IDG Contributor Network. Want to Join?