Enterprise Network Security Architecture Transformation
by Scott Hogg, on Dec 20, 2019 9:39:55 AM
Enterprise networks have been changing radically over the past decade. Some of these changes have been taking place so slowly that they are difficult to perceive, while others have been rapid and dramatic. Now enterprises must react to the changes in enterprise network security architecture with new approaches that encompass the entire Internet.
Corporate Networks Turned Inside Out
Ten years ago, the enterprise networks looked like the left side of the graphic below. All users and IT assets were within the physical confines of the organization’s corporate intranet. Today, the right side of the graphic shows that the enterprise network has been turned inside out.
This enterprise network topology transformation is the result of a nomadic end-user population using Internet-connected 4G, and now 5G, mobile devices. Branch offices have moved from using traditional dedicated WAN links back to the headquarters location to using Direct Internet Access (DIA) from broadband ISPs. The shift toward using public-cloud infrastructure and Software-as-a-Service (SaaS) has moved applications out from the internal private datacenter.
The Internet has become the new corporate network backbone; the enterprise Internet.
Nomadic Users Increase Attack Surface
Formerly, end-users used their corporate issued mid-tower desktops connected to Ethernet cables that ran back to the switch in the Intermediate Distribution Frame (IDF). Now, the diverse enterprise workforce of users is roaming, using their personal mobile devices for work tasks. In-office employees traditionally used the IP-telephony handsets on their desks and now remote employees are utilizing cloud-based applications like WebEx and virtual collaboration tools like WebEx Teams.
The attack surface has grown to encompass the entire Internet. Enterprises struggle to create security solutions that cover users when they are mobile, traveling on business or working from home. There is now a need to apply security filters that granularly restrict which applications and protocols are accessible to these nomadic users. Security solutions that were typically located at the corporate Internet security perimeter to prevent malware from getting onto corporate laptops must now protect malware from compromising uncontrolled employee-owned mobile devices.
Moving Security Functions to the Cloud
Enterprises must rapidly re-think the security perimeter. Not only has the large number of allow rules in firewalls turned them into porous sieves but now the perimeter must be distributed to all devices across a broad geography.
It is not possible to put corporate-controlled stateful packet filtering, IPS, malware defenses, virus filters, web content filters, reputation and threat intelligence, and application filtering onto each-and-every end-users personally-owned mobile device. These Internet perimeter security functions must now run as distributed services so they can support end-users utilizing the Internet as their WAN.
Architectural changes require moving security functions to cloud-based security services. These cloud-based security functions can simultaneously support the remaining end-users on the corporate network and those remote workers using their 4G/5G mobile devices.
When a company uses Cisco Umbrella, they get the benefits of a DNS-based security protection service that prevents users from going to malicious sites or are outside the security policy. This cloud-based security service supports policies for mobile users working beyond the corporate network. Security Graph will provide the benefits of advanced threat intelligence to all workers regardless of their geography. Enterprise security teams can now survey and perform forensics on the entire environment, not just what is connected to the internal network.
Another example of moving security functions to the cloud is evident in the Cisco Cloudlock Cloud Access Security Broker (CASB). Cloudlock helps protect users when they are accessing cloud-based applications and surveils the data sent back and forth across those connections. Cloudlock allows the enterprise to have a consistent granular policy across numerous cloud services that works for remote and in-office employees.
Firewalls Move Closer to Servers and Applications
What once was a simple architecture with a single security perimeter where application filtering was performed has now become radically distributed. The transformation that has occurred effects the location in the enterprise network architecture where stateful packet filtering is performed. Firewalls are still deployed at the Internet perimeter, but application security is being added closer to the server hosting the application. This concept of adding virtualized security functionality into the server virtualization environments is called Network Functions Virtualization (NFV). In this illustration there is a virtual firewall function protecting each of the virtual hosts running in the data center server running a hypervisor or securing server instances running in a cloud environment.
Many organizations now run virtual editions of traditional on-premises firewall software. The Cisco Firepower Next-Generation Firewall Virtual (NGFWv) can run in VMware, KVM, AWS, and Azure. The Cisco Adaptive Security Virtual Appliance (ASAv) is available as a virtualized version of the venerable ASA stateful firewall that is familiar to security administrators. Cisco UCS Director is the platform that supports secure management of a wide variety of hypervisors, compute, network, storage and hyperconverged infrastructure.
Virtual routers like the Cisco Cloud Services Router 1000v (CSR 1000v) router can run in a virtual environment and provide security protections that were typically applied within a corporate WAN. The CSR 1000v can be a virtual router performing filtering and terminate VPN connectivity preserving confidentiality between trusted environments.
Stateful filtering is often performed closer to the cloud instance (e.g. AWS Security Groups, Azure Network Security Groups (NSG), Google Compute Engine firewall rules). The data center network can also apply filters in contracts in a Cisco Application Centric Infrastructure (ACI) implementation. Stateful filtering is implemented near the hypervisor Virtual Machine (VM) in the on-premises data center (VMware Distributed Firewall, Hyper-V Virtual Switch policies, Xen Domain filters, and KVM libvirt tools nwfilter network filter driver). When organizations operate server instances in public cloud infrastructure, they need visibility to abnormal traffic and threat activity as if it were their own network, and Cisco Steathwatch Cloud provides this.
This practice can be further applied to container workloads. As monolithic applications are disaggregated and decoupled the individual application functions need protection from network-based threats. Filtering can be applied to Docker networking within a virtualized server providing an added layer of security protection for the applications running within containers. As microservices move toward service mesh architectures these security functions must also cover these application deployment models. The Cisco Container Platform (CCP) and Istio can be used to add security to these Kubernetes microservice applications.
Securing Remote Enterprise Locations
As more applications moved to cloud environments and dedicated WAN bandwidth pricing continued to stay high, enterprises looked for solutions to improve performance and save costs. Enterprises started to consider using a combination of broadband Internet and corporate WAN connectivity for their branch sites. The goal was to provide high-bandwidth low-latency redundant-connectivity for remote offices using a combination of network services. These changes created the impetus behind Software-Defined WAN (SD-WAN) solutions.
When organizations establish direct Internet connectivity to branches, they still must provide users the same security functionality that exists in the enterprise security perimeter choke-point. Cisco’s SD-WAN offerings provide stateful firewall, network segmentation, secure web gateway, and DNS-based security for remote sites. Encrypting the traffic between sites and to the cloud provides confidentiality, while having built in Intrusion Protection Service (IPS), application security controls, malware protection with Cisco AMP Threat Grid, and URL filtering provide security for those remote sites.
The Semi-Trusted Enterprise
The nomadic workforce and the difficulty trying to prevent malware from getting on end-user devices has caused corporate security teams to throw-in-the-towel and declare all end-user devices as untrusted. Previously everything inside the enterprise was implicitly trusted by the location of where it was connected. This new security model creates distinction and delineation between the various levels of trust within a corporate network.
This concept of Zero-Trust (ZT) networks doesn’t mean that the end-users are completely untrusted but rather trust must be confirmed before the trust is established. It is more like the end-users are “less-than-completely-trusted” and certainly more trusted than Internet but less trusted than the most-sensitive private data center applications. The corporate WAN is now treated “at-arms-length” and the applications risk-factor and security profile dictate the level of access. Furthermore, Cisco Tetration can provide deep packet data visibility to facilitate micro-segmentation for a ZT design.
In order for end-users to prove their trustworthiness to access internal or cloud-based corporate applications they must first prove their identity. Enterprises realize the weaknesses of traditional username and password systems and need to strive for multi-factor authentication (MFA) systems to provide a greater degree of authentication. Cisco Duo MFA systems make it easy for users to strongly authenticate and prove their identity which allows their role to grant them access to applications.
Adjacent to the concept of zero-trust is the concept first defined by the Cloud Security Alliance (CSA) called the Software-Defined Perimeter (SDP). These SDP solutions work like a Network Access Control (NAC) system whereby users authenticate themselves and are granted access to applications and the traffic is encrypted with TLS. The Cisco Duo Identity and Access Management (IAM) systems can be tied into applications to provide this SDP functionality.
Organizations have traditionally used remote-access IPsec VPN and using no-split-tunneling to direct all network traffic back to the corporate intranet. Although the Cisco AnyConnect SSL VPN runs on a broad array of end-user mobile devices, it may not be the best fit for securing traffic in all circumstances. VPNs are being complimented with SDP solutions integrating application filtering and strong multi-factor authentication prior to end-users accessing applications.
Cisco has extended this concept to the corporate networks with Software-Defined Access (SDA). SDA provides enhanced security compliance for users and their mobile devices by separating their application connections with end-to-end segmentation with full visibility.
Continually Changing Enterprise Security Topology
The last decade has transformed enterprise network topology making the Internet the new corporate network. This has caused a shift in distributing security functionality to cover the broadest area of far-flung users and applications.
This transformation of the enterprise security architecture has been changing slowly over the last decade. Cisco anticipated these changes and developed security solutions to adapt to this evolution in security protection measures.
In the coming years enterprises will continue to see their networks transformed by new requirements and market trends. More Internet of Things (IoT) devices will make their way into corporate networks requiring micro-segmentation, network-slicing and sequestering IoT systems into secure enclaves. 5G services will give end-users high bandwidth connectivity that they typically have in the office or at home, personal mobile devices will increasingly be used by employees to access enterprise applications. Containerized applications will be utilizing a service mesh which will have security functionality built into the application frameworks. Corporations will further exploit the Hybrid-IT architecture whereby enterprises are continually moving applications and data to and from multi-cloud environments.
We can expect the next decade to continue the transformation. If enterprises are having difficulty keeping up with the pace of change, the pace is only going to quicken in the coming years. “Objects in mirror are closer than they appear” and if enterprises don’t maintain situational awareness, new trends may sneak up in their blind-spot and create an emerging security weakness. Cisco will continually survey the changing threat landscape and evolve solutions that are adaptive, flexible, scalable, and mitigate the new threats as the corporate network topologies evolve.
Following are references for the Cisco security protection technologies mentioned in this paper. Please visit these web pages to learn more about how Cisco security solutions can help enterprises protect their new enterprise Internet topology.