Encrypted Traffic Analytics and SD-Access integrate security into the enterprise network.
Security is a big part of Cisco’s new intent-based networking strategy. The key security pieces are Encrypted Traffic Analytics and Software-Defined Access. The details of hardware support such as the Catalyst 9000 switches aren’t as important as how the new architecture provides a new way for enterprises to approach security by integrating it into the network.
Encrypted Traffic Analytics (ETA) enables detection of malware in encrypted network traffic. This is important since encrypted traffic is becoming popular and enterprises cannot rely on deep-packet inspection for malware detection. A Cisco white paper provides details of ETA. Those who are academically inclined can read a technical paper from the 2016 ACM Workshop on Artificial Intelligence and Security.
This new technology shows promise as a malware identification tool for encrypted traffic, with a low false positive malware detection rate at 0.01%.
ETA isn’t a single product; it’s a combination of visibility from enhanced NetFlow with encrypted traffic analytics capability on devices such as Catalyst 9000 switches and the 4000 series Integrated Services Router (ISR), fed into Stealthwatch security analytics.
Having the switches and routers participate in security analytics fits into my belief that intelligence and security needs to be built into network. It was fashionable to believe that each layer of the infrastructure needs to perform one thing well, and additional tools can be layered on to perform another function. That’s OK in theory, but there are performance implications to installing additional tools and operational costs of integrating many tools to provide security. Embedding some security support into the foundational devices will make the higher level security tools operate efficiently.
In accordance with best security practices, I recommend that technologies such as ETA be part of a layered approach to security. Security is one area where redundancy and layering makes sense. But it’s good that Cisco has found a way to fix this growing blind spot in network analytics.
SD-Access is Cisco’s umbrella term for technologies that automate the segmentation of network traffic based on policy, and automate workflows for network design, provisioning and management. Despite the similarity in names, SD-Access is more than network access control (NAC).
We are all accustomed to using time-tested techniques such as VLAN or ACLs for segmenting traffic. However, intent-based networking uses higher-level policy definition and lets the system choose the low-level configuration such as VXLAN for segmentation and identity-based policy enforcement instead of using IP or MAC addresses to identify end points.
Low-level configuration should not be a concern of network professionals in the future. The system ought to figure out which configuration choices to apply, based on policy and using machine learning to understand context, according to Cisco’s intent-based networking strategy.
It’s important for network pros to not get stuck treading water with manually configuring network segmentation, but focus on why different apps and users need to be on separate networks. To prepare for SD-Access, network administrators can take inventory of how their ACLs and VLANs were derived and understand the business policies that define them.
This may be a good opportunity to sift out what’s obsolete and understand the motivations of line of business owners. I realize it’s a daunting task since there are so many ACLs to wrestle with, not to mention the “if it ain’t broke, don’t fix it” rule. But a mountain of mysterious ACLs is also a broken situation when you consider the maintenance effort.
SD-Access should streamline many parts of a network professional’s job since it works on a wide variety of devices ranging from the Catalyst 4500-E to Aironet 3800 wireless access points. However, it requires DNA Center to orchestrate the network and to create a secure campus fabric. DNA Center uses APIC-EM for automation, Identity Services Engine for policy management, and Network Data Platform software for analytics. These items will be fully available later in 2017.
A valid concern for those contemplating a controller-based network automation system is that the controller itself could be a target of crooks who are intent on taking over your network, since it behaves like a master key that controls many network devices. At Cisco Live, Cisco executives told analysts that the company developed the product with penetration testing and other secure development best practices to address these concerns.
Still, I would like to see Cisco advise customers on best practices for securing the controller, pass security certifications such as Common Criteria and listen to customer concerns on potential attack methods. I am not aware of a major breach attributed to cybercriminals taking over an SDN system, but we can’t let our guard down.
Security capabilities will become integrated into the network infrastructure in the same way that telemetry capabilities have found their way into switching devices. Networking and security are inseparable, and this will be reflected in the equipment we may deploy in the future. Cisco’s development is a good start to this path.