5 must-have features in a modern network security architecture

Form factors and use cases are changing, so network security must be more comprehensive, intelligent, and responsive than ever before.

Modern network security must have these features
FireMon / D3Damon / Getty Images

Early in my high-tech career, Sun Microsystems was thought of as a computing visionary. Sun coined an intriguing company’s tag line early on: "The network is the computer." What did that mean? It meant IT infrastructure was linked together in a loosely-coupled architecture, tied together via networking technologies such as Ethernet cables and the TCP/IP protocol. Thus, it was critical to engineer the network correctly to maximize network availability, performance, and business benefits.

Yes, things have changed since the early 1990s. Some networks live in the cloud, some are virtual, and some rely on application-to-application connections, but networks still connect IT systems together in one way or another.

Modern network security

Amidst this transformation, network security has had to change with the times. In my humble opinion, modern network security must support:

  • End-to-end coverage. Perimeter security inspecting ingress/egress traffic is no longer enough. Modern network security controls must be instrumented into all network segments for inspection of east/west traffic, network communications in the cloud, and network communications from remote workers to software as a service (SaaS) applications where the traffic never touches the corporate network. In other words, all network traffic should be inspected. 
  • Encryption/decryption capabilities throughout. According to ESG research, 50 to 60% of all network traffic is encrypted today, and this will only increase in the future. (Note: I am an ESG employee.) That means a comprehensive network security architecture must include the ability to decrypt and inspect traffic at a multitude of control points. Modern network security technologies should also be able to detect suspicious traffic without the need for decryption in all cases. This capability is already included in offerings such as Cisco Encrypted Traffic Analytics (ETA) and stand-alone solutions from vendors such as Barac.io. 
  • Business-centric segmentation. Reducing the attack surface should be a primary requirement for all modern network security technologies. This equates to two capabilities: 1) Segmenting east/west traffic between application tiers, and 2) Enforcing software-defined perimeter network segmentation rules between users/devices and network-based services. These capabilities are often vaguely referred to as “zero-trust.” 
  • A central control plane and distributed enforcement. This one is a “must-have.” All network security controls (i.e. physical, virtual, cloud-based) must report into a common control plane for management activities (i.e. configuration management, policy management, change management, etc.). The central control plane will likely be cloud-based, so CISOs should prepare risk-averse auditors and business managers for this change. Armed with instructions from central command and control, network security systems must be instrumented to block malicious traffic and enforce policies regardless of their location or form factor. Note that while every network security vendor will pitch its own central management service, third-party software providers such as FireMon, Skybox, and Tufin may play a role here. 
  • Comprehensive monitoring and analytics. As the old security adage goes, “the network doesn’t lie.” Since all cyber attacks use network communications as part of their kill chain, security analysts must have access to end-to-end network traffic analysis (NTA) up and down all layers of the OSI stack. The best NTA tools will supplement basic traffic monitoring with detection rules, heuristics, scripting languages, and machine learning that can help analysts detect unknown threats and map malicious activities into the MITRE ATT&CK framework. CISOs must cast a wide net, as there are lots of strong solutions to choose from pure-play startups (i.e. Bricata, Corelight, DarkTrace, IronNet, Vectra Networks, etc.), networking experts (i.e. Cisco, ExtraHop, NETSCOUT, etc.), and network security vendors (i.e. Fidelis, FireEye, Lastline, HPE, etc.).  Caveat Emptor!

To continue reading this article register now

Microsoft's very bad year for security: A timeline