Today, consumers are more connected than ever before, especially through our mobile devices and social platforms, leaving behind digital footprints wherever we go. Yahoo!, Snapchat, LinkedIn, Dropbox, Sony and Target are just a few of the companies that have recently had their networks compromised, and the scope and scale of this type of breach continues to grow with each new breach. It is no longer just a few accounts being compromised, these breaches are now affecting millions and sometimes hundreds of millions of people.

The question now for enterprises, given that this new digital interconnectedness forms the very foundation of the economy, business and increasingly how we manage our lives each day, is what steps must be taken to protect customer data and brand loyalty. IT organizations need to go beyond today’s status quo of network security, with its myriad proven failures, and search for a better, more comprehensive and prudent approach to protecting corporate networks. 

A multi-layer security & visibility architecture where all traffic needs to be inspected, regardless of whether it leaves the data center or not is no longer optional but rather is now mandatory. This architectural approach is the only way security tools can effectively screen all suspicious traffic and recognize uncommon patterns that can indicate a security breach might have occurred.

In a standard corporate network, in the demilitarized zone (DMZ) where the outside, untrusted traffic interfaces with an organization’s network, high-performance security appliances are placed inline (to intercept) to the production network traffic, and need to capture all network packets coming in and going out of the data center to achieve “pervasive visibility.” A few examples of the security tools at this layer are Intrusion Protection (IPS), Cloud Access Security Broker (CASB), and Web-based Firewalls.

In traditional corporate networks, the DMZ is designed so that all packet traffic is sent to each security appliance delivering its unique security service on the network flow, in a sequential flow, or “service chain.” As more network traffic increases, this drives an organization to have to procure additional security appliances to handle the volume, and drives up costs. With the traditional approach to service chaining, scaling security chains by adding additional physical appliances can be extremely costly. New architectural approaches, including software-based service chaining via a SDN controller, allows the organization to only send the relevant network traffic flows to the exact service, reducing overall volume and allowing a simple, cost-effect scaling of security chaining. This can dramatically reduce the success of attacks on the “edge” of the corporate network.

In modern corporate networks today, 80% or more of the production network traffic remains within the data center, called East-West traffic (as opposed to North-South traffic to and from the production network to the DMZ). Modern hackers have had more success recently by penetrating the production network through a variety of strategies, including spear-phishing and other tricks to get employees to inadvertently provide a breach into the production network by introducing malware or other exploits to the hacker. In most corporate networks at scale, there is an out-of-band security tool farm deployed to try to effectively monitor this traffic. In order to provide 100% visibility within the out of band monitoring network, security tools need to have access to all traffic, typically provided via a network packet broker (NPB). Unfortunately, traditional NPBs are extremely costly, and many organizations can only afford to provide a small percentage of critical traffic to the tool farm. Lack of pervasive visibility is a risk that many organizations run, given the cost of traditional approaches to NPBs. There are new, next generation networking monitoring solutions that enable organizations to cost-effectively tap every rack and provide pervasive visibility.

At the network layer, isolated domains (commonly known as VRFs) are recommended as an effective security layer, while micro segmentation is recommended at the app layer to prevent any unauthorized access.

This is not the standard for network security today as enterprises fear the cost and complexity associated with the concept of “secure everything architecture,” but leveraging software-defined networking (SDN), combined with industry-standard hardware makes it simpler to implement this multi-layered security while meeting business objectives, reducing costs and most important, ensuring total network security.

Enterprises need to be more vigilant than ever and must create a multi-layer security defense system to prevent against the ever growing threat of user data breaches in our increasingly connected world. A next-generation SDN architecture is an innovative way for organizations to stay ahead of those trying to do harm to their brand.


Salman Zahid

Technical Solutions Architect


Note: This blog was originally published on SDx Central: