Addressing Networking's Biggest Challenge -- Segmentation
Segmenting networks using VLANs and Virtual Routing & Forwarding will not meet tomorrow's business needs.
Network segmentation logically separates traffic over the same physical network. Enterprises rely on segmentation to isolate users and applications for security and performance requirements. The most common uses of segmentation are prioritizing real-time traffic such as voice and isolating credit card authorization traffic to meet PCI requirements. But future business needs for segmentation will be 1,000x greater than they are today, creating an untenable situation for enterprise IT with today's routers and firewalls.
The need for segmentation will explode because of three trends:
- Zero Trust Security -- Enterprises are moving away from perimeter-based security to a zero trust security model where no device on the network is trusted. In this model, every device and application is segmented from each other, enabling a hierarchical approach to managing groups of devices and applications. A true zero trust network uses whitelist routing, which only allows users and applications to get on the network if a policy explicitly allows it. Having no broadcast domains or default routes will result in millions of segments in large networks.
- Edge Computing -- The digital world is where things (as in the Internet of Things) and users converge. Augmented reality applications are always on, providing contextual, dynamic, and interactive experience that is hyper-latency-sensitive. Orchestration will take place in centralized cloud data centers, but applications with artificial intelligence and tons of local data will require widespread distribution to thousands of data centers for processing. The internetworking between all the distributed data centers owned by hundreds of providers using many differently managed IPv4/6 networks, both wireline and wireless, will add millions more segments.
- Video -- Cisco forecasts that 82% of traffic on public and private IP networks will be video by 2020. Enterprise IT will need to segment different types of video applications for both security and performance requirements. Table 1 demonstrates nine different video segments based on levels of security trust and network performance requirements. Within each of these segments, IT can provide further user and application security, creating hundreds of segments just for video applications.
In order to scale network segmentation, application and endpoint identity and access controls using directories must integrate with network routing and security policies. The software-defined WAN (SD-WAN) space is starting to provide this from the branch office to the data center and cloud, but to succeed software-defined networking needs to go from endpoints of users and things all the way to the containers hosting the applications.
One foundational challenge is that the segmentation technology in the LAN, WAN, data center, and cloud are all different. If you're a retailer with 20 VLANs in a store, going across multiple networks (MPLS, Internet, LTE, and VSAT) to multiple data centers and many different cloud providers, managing network segmentation through routers, firewalls, load balancers, and WAN optimizers leads to "ACL hell." This complexity results in networks that are fragile, costly, not agile, and unsecure.
To support future requirements, network routing and security must work together, not be diametrically opposed as they are with today's routers and firewalls.
Learn more about Systems Management & Network Design at Enterprise Connect 2018, March 12 to 15, in Orlando, Fla. Register now using the code NOJITTER to save an additional $200 off the Early Bird Pricing or get a free Expo Plus pass.