Improving your security posture with “Software-First” Intent-Based Networking (Part 2)

Core components to improving your security posture through Intent-Based Networking include a single source of truth, continuous real-time validation and the ability to swap or upgrade devices quickly.  These components are not enough, though.

Audit, time machine, and roll-back your infrastructure

Without a single source of truth, it is impossible to properly audit all changes that are taking place across your infrastructure. And without a proper audit, it is impossible to know whether your infrastructure has been compromised. With Intent-Based Networking, not only do you have one source of truth, but because all changes are done through software, they’re all recorded. You can go back to an audit trail, or even go back in time through a “time machine” like functionality. Doing so helps improve your security posture at many levels:

  • You have the ability to monitor your audit trail for any suspicious activities
  • Your Intent-Based Networking system can be programmed to look for suspicious activities. Examples of such activities that the system can easily detect are: the creation of new agents and processes; or changes to agents that enables them to accept incoming connections.
  • When you do witness suspicious activity, your Intent-Based Networking system can automatically raise an alarm, or allow you to roll back to a known “safe” state.

Never, ever log into a device!

In today’s world, operators log into devices, and use the Command Line Interface (CLI) to make changes, or debug problems. This approach is fundamentally broken and insecure because it is far too easy for bad actors to take control of the devices.

With an Intent-Based Networking system, operators never log into a device. Moreover, devices never accept incoming connections. Devices only talk to the Intent-Based Networking system, which controls and protects the connection to those devices.

Properly secure, distributed architecture

Last but not least, none of this would matter if your Intent-Based Networking solution itself gets compromised. This is why a proper security posture also requires architecting the solution itself with security in mind. Apstra AOS is a software-first distributed system, which consists of many processes, each process only connecting to the Graph Datastore with secure, encrypted connections. The processes themselves do not accept any incoming connections; and the distributed data store authenticates connections and imposes access control.

Improve your security posture by adopting Intent-Based Networking and a “Software-First” approach

With security being of paramount concern, organizations should build their infrastructures with security as a top priority. By taking a “software-first” approach and deploying Intent-Based Networking, organizations can make quick progress in terms of their security posture by avoiding some of the most common causes of security mishaps — including lack of visibility, lack of consistency and uniformity, lack of accountability, and inability to resolve problems quickly when they arise.

Intent-Based Networking forces discipline into the operational model, driven at the core by a single source of truth. The single source of truth guarantees uniformity of policy and consistency of workflows; it is the foundation of real-time continuous validation tests; and it ensures visibility and dramatically reduces the mean time to insight when problems and security vulnerabilities do occur. It reliably prevents many security problems. Intent-Based Networking also helps to fix problems quickly when they arise, either by swapping devices quickly, upgrading software, or reverting to a known state.

In summary, Intent-Based Networking can dramatically improve organizations’ security posture. This is in addition to Intent-Based Networking’s proven benefits in delivering an order of magnitude acceleration in business velocity, an order of magnitude improvement in infrastructure reliability and an 83% reduction in costs.

If you’re interested in joining our Fortune 500 customers who are well on their way to transforming their infrastructures using a software-first approach, please contact us — we’d love to hear from you!

[Read the first blog in this two part series here]

* This article was originally published here

Improving your security posture with “Software-First” Intent-Based Networking (Part 1)

Improving your security posture with "Software-First" Intent-Based Networking (Part 1)

You may have read in the news about horrific security gaps that have the potential of bringing down whole infrastructures, leaking critical business and personal data, and exposing organizations to massive liability.

There is no question that improving organizations’ security posture is a critical requirement for infrastructure and security teams.

While there are thousands of security point solutions addressing specific security threats, it is important that infrastructure teams are also diligent and implement approaches that, at the foundational level, enforce the level of discipline and hygiene required to maintain a good security posture. With that in mind, “Software-First” Intent-Based Networking can offer organizations significant improvements to their security posture. This blog explains why.

Single Source of Truth, Continuous Real-Time Validation

Without a single source of truth

Most organizations today do not have a single source of truth to capture the intent of their infrastructure. Intent is captured across various systems, in some cases spreadsheets and documents. The lack of a single source of truth for intent means there is often a deviation between what the architect originally intended, and what is actually implemented in the network. Changes are made to these networks over time and often documented by individuals who may no longer be at the company. We see so many operators worry about “touching anything” because they don’t know what’s there. For example, network engineers fear removing or changing access lists because they don’t know why they are there in the first place.

Needless to say, this situation creates an environment which can introduce dangerous security vulnerabilities that are easily exploited.

Different domains

Data center infrastructures are becoming more distributed, more heterogeneous, and increasingly span multiple domains (various locations, private and public clouds, campus and edge).

Different domains are operated by multiple organizations using different systems within the same company. In some cases, the systems in place are completely manually operated. In other cases, there may be a software defined layer that controls some aspect of the security policy, while connectivity is managed by some other systems.

As a result, there is no consistent method by which an operator can enforce one uniform set of security policies across more than one domain, let alone across all their domains. In fact, blatant gaps exist in today’s environments. For example, you may be able to enforce security policies over your virtualized environment, but it can’t extend to bare metal servers or storage arrays. Operators are forced to program these policies manually, which is error prone. These gaps create dangerous security vulnerabilities.

Even if you had control of those domains, and think you pushed the correct configurations, there may be bugs in hardware or the device operating system that prevent the configuration from taking effect. Unless you have an ability to test your configuration actually worked, and that your security policy has been applied, you are still at risk.

Multidomain unified group-based policy and automation

“Software-First” Intent-Based Networking provides an ability to define global intent and security policy using a single source of truth. It also offers the capability to enforce these security policies across multiple heterogeneous domains. Changes in intent are updated automatically in the single source of truth, and then in turn, automatically enforced by the infrastructure. Last but not least, an intent-based system continuously validates in real-time the infrastructure is delivering on intent; therefore, operators can be confident the policies they’ve defined are indeed being enforced.

In summary, “software-first” Intent-Based Networking addresses these policy gaps and, as a result, significantly improves an organization’s security posture. The term software-first indicates that the entire multi-domain infrastructure is defined, programmed and operated through a single software-based system.  This remains true regardless of the systems, products or vendors the engineers have chosen to implement the infrastructure. Software-first consolidates policy definition and enforces that policy end-to-end.

Ability to swap or upgrade devices quickly

Today, organizations are at the mercy of their hardware vendors’ bugs and quality problems (both hardware and device operating systems). Security vulnerabilities are common and are routinely discovered on infrastructure devices. When a hardware vendor discovers a security vulnerability in a customer’s hardware and device OS, the customer must wait for the hardware vendor to provide a patch, which may take monthsWhen the patch is finally delivered, the customer will need to go through their own qualification process for the new security patch, which may take many more months.

Skipping the qualification process is akin to rolling the dice on new potential unknown bugs (a very common occurrence with new device OS versions). This may potentially cause bigger problems, such as new security vulnerabilities or even outages. Gartner analyst Andrew Lerner wrote a great blog about the pain involved in network upgrades, where he compares the process to going to the dentist!

By taking a software-first approach, Intent-Based Networking enables companies to qualify new hardware or software very rapidly, and upgrade to those versions very quickly:  

  • If you learn that a version of a Switch Operating System that you have deployed has a security vulnerability, then you can quickly upgrade to another version. This is a process that can otherwise take months (8 months on average for businesses we’ve talked to).
  • If you learn that a specific hardware that you have installed has a security vulnerability then you can swap for another device (this could even be a device from another vendor!) very quickly.  Again, this is a process that can otherwise take months. Your software-first deployment ensures that even with a change of devices or vendors, there is no change to the way these products are operated and validated.  There is no need to learn anything new.

To learn why “Software-First” Intent Based Networking gives you that ability, you can read my blog on “software-first” Intent-Based Networking, specifically the section titled “Five Million Tests a Day”, which describes how Apstra has built and operates the most powerful automated testbed in the industry.

* This article was originally published here