Scott Murphy
Scott Murphy is an experienced technology leader and entrepreneur with over 20 years of information technology experience. His expertise spans...
Read Full Bio >>

Scott Murphy | February 22, 2017 |


How Next-Gen Networking Impacts IT Security

How Next-Gen Networking Impacts IT Security Costs are coming down for an enterprise to deliver the improved security of hyper-segmentation, making it conducive to today’s business, security, and IT operational requirements.

Costs are coming down for an enterprise to deliver the improved security of hyper-segmentation, making it conducive to today’s business, security, and IT operational requirements.

portable Over the past few years, the stories of security breaches at large enterprises such as Sony, Target, and Home Depot have been making headlines. Many of my clients ask how this could happen to these organizations, what with their multi-million dollar IT budgets and substantial resources. The answer is both simple and complex at the same time. Allow me to explain...

These organizations are continually balancing their investment in technology and the cost of operating that technology, often on a daily basis. They try to minimize the complexity of their networks wherever possible, but unfortunately, minimizing complexity often results in decreased security; in particular, it results in a reduction of network segmentation, the act of splitting a computer network into subnetworks for the benefits of improved performance and security.

When considering security in an ideal world, a network would be designed so that every endpoint would be its own network segment -- some security experts call this "hyper-segmentation." With traditional networking technologies, this would be good for security, but not necessarily for the business or network operations.

Traditional networking uses VLANs (Virtual Local Area Networks) and protocols such as MPLS (Multiprotocol Label Switching) to segment the network and isolate subsets of network users, services, and devices into different zones. The complexity of managing the network increases as additional zones need to be configured on each node (switch, firewall, etc.) of the network. Complexity only continues to grow as more systems are added to the network, especially with the introduction of Internet of Things (IoT) devices, such as HVAC, physical security, and other sensor-based systems.

Traditional Networking Stack

The result is that many enterprises with traditional networking approaches have simplified their network segmentation to reduce operational costs. This is contrary to the good practices in IT security frameworks such as ISO 27002, PCI, CoBIT, and NIST, but it's often still preferred to reduce complexity.

To go back to my earlier examples of the security breaches at Home Depot and Target, as these cases were unravelled it became clear that the lack of network segmentation contributed significantly to the breaches. These breaches exposed millions of credit card transactions to the hackers and wound up costing these organizations hundreds of millions of dollars in lawsuits, penalties, and remediation.

Larger organizations such as these typically have multiple sites that are connected by single logical MPLS or VPN links, a common architecture that makes network segmentation challenging across sites. To enable network segmentation, multiple security zones need to be managed across these links.

The good news is that several networking vendors saw the need for network segmentation and management simplification and started working on these issues over a decade ago. The solution in general is often referred to as network virtualization. Network virtualization has been designed with the intelligence to virtually eliminate human error during configuration, capable of nearly infinite network segmentation.

There are two advanced network segmentation technologies or approaches to address these scenarios: Dynamic BGP with GRE Tunnels and Shortest Path Bridging (SPB/IEEE 802.1aq).

The first approach, dynamic BGP with GRE tunnels, adds another logical layer 3 network on top of the inter-site layer 3 network links using GRE tunnels and dynamic BGP routing. This approach is complicated, requiring a high degree of skill to manage the many protocols involved. As the scale of the enterprise and number of sites grows, managing this approach becomes increasingly complex. Therefore, BGP with GRE tunnels is feasible for smaller deployments but would not be practical to handle the requirements of enterprise network segmentation.

A better alternative is the second approach I mentioned, Shortest Path Bridging (SPB) -- something relatively unknown and representing a complete rewrite of networking technology of the past 25 years. SPB replaces the traditional networking stack of over 20 traditional networking protocols and simplifies them into one protocol in one layer. SPB can provide millions of network segments, both between and within sites. This drastically simplifies the network segmentation security problem by allowing security zones to easily span sites using SPB, over the top of service provider links such as MPLS or preferably VPLS. SPB was designed to scale to carrier networks, and it also allows enterprise networks to be deployed with multiple active paths.

SPB Virtualizes Layer 2, Layer 3, & Multicast

While enhancements in network virtualization were being made, it became clear that there was also a need to improve the sophistication and virtualization of firewalls to enable the network segment isolation and routing required to secure these enhanced networks. New firewall appliances have entered the marketplace based on software (instead of hardware) with significantly higher processing capacity than their predecessors. This enables enterprise networks to be segmented to support security while maintaining network performance with centralized security management.

Costs are coming down for an enterprise to deliver the improved security of hyper-segmentation, making it conducive to today's business, security, and IT operational requirements. The security breaches experienced by Home Depot and Target can be avoided, but it is going to require a shift in mindset by network architects as they need to incorporate Shortest Path Bridging (SPB) and next-generation firewalls into the network design from the ground up. For my credit card's sake, I hope the shift happens quickly.

"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.

Learn more about systems management and network design trends and technologies at Enterprise Connect 2017, March 27 to 30, in Orlando, Fla. View the Systems Management & Network Design track, and register now using the code NOJITTER to receive $300 off an Entire Event pass or a free Expo Plus pass.


April 19, 2017

Now more than ever, enterprise contact centers have a unique opportunity to lead the way towards complete, digital transformation. Moving your contact center to the cloud is a starting point, quick

April 5, 2017

Its no secret that the cloud offers significant benefits to enterprises - including cost reduction, scalability, higher efficiency, and more flexibility. If your phone system and contact center are

March 22, 2017

As today's competitive business environments push workforces into overdrive, many enterprises are seeking ways of streamlining workflows while optimizing productivity, business agility, and speed.

April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.