Jun 6, 2019

Improving your security posture with “Software-First” Intent-Based Networking (Part 1)


You may have read in the news about horrific security gaps that have the potential of bringing down whole infrastructures, leaking critical business and personal data, and exposing organizations to massive liability.

There is no question that improving organizations’ security posture is a critical requirement for infrastructure and security teams.

While there are thousands of security point solutions addressing specific security threats, it is important that infrastructure teams are also diligent and implement approaches that, at the foundational level, enforce the level of discipline and hygiene required to maintain a good security posture. With that in mind, “Software-First” Intent-Based Networking can offer organizations significant improvements to their security posture. This blog explains why.

Single Source of Truth, Continuous Real-Time Validation

Without a single source of truth

Most organizations today do not have a single source of truth to capture the intent of their infrastructure. Intent is captured across various systems, in some cases spreadsheets and documents. The lack of a single source of truth for intent means there is often a deviation between what the architect originally intended, and what is actually implemented in the network. Changes are made to these networks over time and often documented by individuals who may no longer be at the company. We see so many operators worry about “touching anything” because they don’t know what’s there. For example, network engineers fear removing or changing access lists because they don’t know why they are there in the first place.

Needless to say, this situation creates an environment which can introduce dangerous security vulnerabilities that are easily exploited.

Different domains

Data center infrastructures are becoming more distributed, more heterogeneous, and increasingly span multiple domains (various locations, private and public clouds, campus and edge).

Different domains are operated by multiple organizations using different systems within the same company. In some cases, the systems in place are completely manually operated. In other cases, there may be a software defined layer that controls some aspect of the security policy, while connectivity is managed by some other systems.

As a result, there is no consistent method by which an operator can enforce one uniform set of security policies across more than one domain, let alone across all their domains. In fact, blatant gaps exist in today’s environments. For example, you may be able to enforce security policies over your virtualized environment, but it can’t extend to bare metal servers or storage arrays. Operators are forced to program these policies manually, which is error prone. These gaps create dangerous security vulnerabilities.

Even if you had control of those domains, and think you pushed the correct configurations, there may be bugs in hardware or the device operating system that prevent the configuration from taking effect. Unless you have an ability to test your configuration actually worked, and that your security policy has been applied, you are still at risk.

Multidomain unified group-based policy and automation

“Software-First” Intent-Based Networking provides an ability to define global intent and security policy using a single source of truth. It also offers the capability to enforce these security policies across multiple heterogeneous domains. Changes in intent are updated automatically in the single source of truth, and then in turn, automatically enforced by the infrastructure. Last but not least, an intent-based system continuously validates in real-time the infrastructure is delivering on intent; therefore, operators can be confident the policies they’ve defined are indeed being enforced.

In summary, “software-first” Intent-Based Networking addresses these policy gaps and, as a result, significantly improves an organization’s security posture. The term software-first indicates that the entire multi-domain infrastructure is defined, programmed and operated through a single software-based system.  This remains true regardless of the systems, products or vendors the engineers have chosen to implement the infrastructure. Software-first consolidates policy definition and enforces that policy end-to-end.

Ability to swap or upgrade devices quickly

Today, organizations are at the mercy of their hardware vendors’ bugs and quality problems (both hardware and device operating systems). Security vulnerabilities are common and are routinely discovered on infrastructure devices. When a hardware vendor discovers a security vulnerability in a customer’s hardware and device OS, the customer must wait for the hardware vendor to provide a patch, which may take monthsWhen the patch is finally delivered, the customer will need to go through their own qualification process for the new security patch, which may take many more months.

Skipping the qualification process is akin to rolling the dice on new potential unknown bugs (a very common occurrence with new device OS versions). This may potentially cause bigger problems, such as new security vulnerabilities or even outages. Gartner analyst Andrew Lerner wrote a great blog about the pain involved in network upgrades, where he compares the process to going to the dentist!

By taking a software-first approach, Intent-Based Networking enables companies to qualify new hardware or software very rapidly, and upgrade to those versions very quickly:

  • If you learn that a version of a Switch Operating System that you have deployed has a security vulnerability, then you can quickly upgrade to another version. This is a process that can otherwise take months (8 months on average for businesses we’ve talked to).
  • If you learn that a specific hardware that you have installed has a security vulnerability then you can swap for another device (this could even be a device from another vendor!) very quickly.  Again, this is a process that can otherwise take months. Your software-first deployment ensures that even with a change of devices or vendors, there is no change to the way these products are operated and validated.  There is no need to learn anything new.

To learn why “Software-First” Intent Based Networking gives you that ability, you can read my blog on “software-first” Intent-Based Networking, specifically the section titled “Five Million Tests a Day”, which describes how Apstra has built and operates the most powerful automated testbed in the industry.

View our webinar on Intent-Based Data Center Automation 3.0icon-arrow-right-double-24.png

Read our white paper on The Apstra Zero Lock-in Guarantee icon-arrow-right-double-24.png


Mansour Karam

President, Founder