F3 Technology Partners | Transform your IT Infrastructure
Unveiling Cloud Innovations, NaaS, and Security Strategies for the Future of Enterprise Networking
ONUG Fall 2023
This year’s ONUG highlighted a focus on expanded networks due to the marked increase in remote office workers. This included areas such as the need for increased security, and the wider expansion of network-based automation. There were several companies making use of automated “Policy as Code” and “Infrastructure as Code” tools, such as Terraform and Ansible.
ONUG Topics
Enterprise Networking
Dynamic Edge Segmentation: Insights into GSK’s Hyperconnected Smart Manufacturing
GSK coined the term “Dynamic Edge Segmentation” to describe their technique of using the network itself to enforce security, via segmentation. It is a process that uses a “back door” control for edge devices. It can quickly reduce the attack surface. The system allows engineers to see what devices are on the network, and what they are accessing. Newly attached devices automatically get a security policy, without human intervention, based on their segment. They discussed that IoT is currently the most risky area, and how Dynamic Edge Segmentation applies there, as well. For example, a rogue WiFi access point coming online will immediately be detected as an “unknown” device, and denied any access. It detects every device at a low level, and the security is applied by the so-called “switchboard”. Policies are defined at the enterprise level. By using this system, the complexity is handled by the NaaS provider, shielded from the engineer user, but the engineer user is still in control of the system.
“Network to Code” Proof of Concept: From Data to Decisions: Mastering Device Lifecycle with Nautobot
Nautobot watches for official vulnerability notifications, “End of Life” schedules, devices needing a service contract, etc., for many brands of devices. Nautobot centralizes all this information. PoC demonstration: He ran a job to grab CVEs from NIST by criteria (OS version, etc). The GUI showed all his currently running software that was affected by any vulnerabilities, etc. He showed how it lists all affected devices. Also, the system has an API, so you can automate and customize it to your liking.
An Insider’s Look at Automation Trends and Best Practices in Enterprise Networking – Gluware
Case studies in automation trends. One of the main themes network engineers are finding is that “automation is hard.” Gluware provides immediate value out-of-the-box, and therefore is more cost effective than products requiring a large initial setup in order to have them function. Gluware aims to provide “80%” of necessary configuration out-of-box (vs. the 100% provided by products requiring fully manual configuration). WWT is agile; they will come in and evaluate your needs, and can set up demonstration, in lab environment, of their recommended solution, for your evaluation.
Learn How To Expand Visibility Beyond the Network Edge and Triage Faster – Broadcom
Since 2020 there has been an exponential increase in the number of people “working from home,” or in similar remote locations. This has led to an increase in the complexity of network paths that network engineers are required to configure and support. There is an increase in traffic going over unmanaged networks. Engineers need end-to-end network visibility. Broadcom is helping to alleviate problems by using higher quality performance detection tools “at home.” They concentrate on monitoring and testing the network at these remote locations. They talked about some of their success stories: Wells Fargo (having numerous branch offices): they correlate WiFi across LAN and WAN, to quickly locate the source of problems.
Cloud
NaaS: The Evolution from Private Routed WANs to “The Network Is The Cloud”
Current (legacy) SD-WAN solutions are limited, due to the security requirements being too complex at scale. They lack flexibility and programmability. One of the main problems is that service providers are the ones who manage the security policies, rather than the network engineer. “Network as a service” (NaaS) simplifies this system. It operates at the “underlay” level (layers 1-3, the IP routing layers). Internally it watches traffic and “re-writes” all network access.
Improve Cloud Cybersecurity Resiliency and Lower Cloud Networking Costs – Aviatrix
Aviatrix is improving cloud cybersecurity resiliency. They demonstrated how orchestration and an overlay-network work within a hybrid cloud environment (e.g., AWS and Azure). They showed how they use Terraform to set it up (i.e., automated in code, as opposed to manually in a GUI).
CloudQuery Proof of Concept: Infrastructure Asset Inventory and Automated Multi-Cloud Compliance with CloudQuery
Inventory and compliance settings are different across clouds. CloudQuery does ETL from them all, to allow a single query language for all. PoC demonstration: auto-sync (read from all resources) and populate database (supports many databases, including the graph database Neo4J). Provides out-of-the-box as well as custom dashboards.
NetBox Labs Proof of Concept: Network Automation Success Relies on a Network Source of Truth
NetBox is open source, with a large community of followers and contributors. There is also a hosted cloud-based SaaS version available. You can use it to store and manage sites, locations, and devices. PoC demonstration: They showed examples of graphical diagrams of rack elevations, and switches. The GUI allowed them to drill down to the lowest level: ports and connections. He showed an example pipeline he had set up: NetBox -> Jenkins -> Ansible -> sending configuration changes to the devices. It has both a web GUI and a command line interface. He demonstrated adding a new VLAN, which triggered the pipeline via a webhook. Open-source code is available https://github.com/netboxlabs/netbox-devops.
IP Fabric Proof of Concept: Manage Your Network, Not Your Network Devices
PoC demonstration: An ETL system that gathers and parses network data. It also provides dynamic network diagram creation.
AutoCloud Proof of Concept: Automating Your Automation
PoC demonstration: He created a new blueprint with fields such as name, description, and a list of the Terraform modules to run. He chose which variables from the Terraform modules should be shown on the form. Then he demonstrated the end user’s view: he filled in and submitted the form. This automatically pushed the Terraform job to GitHub, which caused Terraform to run it.
Cybersecurity / Cyber Risk
Securing Any Application on Any Cloud – Fortinet
Even just a single web page nowadays needs a huge set of resources to support it. Apps now live everywhere: from the cloud to the edge. Multi-cloud use is widespread, and still growing. The problem is knowing how to ensure all of that is secure. The networks, applications, serverless processes, APIs, etc., and at all stages (development, deployment, runtime). Fortinet has FortiGuard and FortiManager that work with multi-clouds natively, and with firewalls (even FaaS and containerized firewall). It can be automated with Terraform and Ansible. It’s dynamically aware of its environment. And their licensing scheme is highly flexible.
Bias Towards Building with Deployable Vulnerability Layers: An Approach to Container Security
Tooling won’t solve everything. Scaling can cause even more problems, but the department can’t hire, for example, 500 incident response engineers to handle all of them. The problem needs automation to provide a solution. PoC demonstration: “dynamic vulnerability layers” implemented by Javascript functions that create Kubernetes YAML manifests. He also showed an example of injecting an “infected” container to a Kubernetes environment, in order to allow hands-on training on incident response. They noted that you can also use metrics captured both before and after configuration changes, in order to prove to your clients that it’s actually working.
Addressing Industry Challenges around Vulnerability Management
Vulnerabilities are not just CVEs, but anything that can cause “exposure” (e.g., misconfiguration). Exploits are not just from script-kiddies anymore; instead, they can come from sophisticated criminal organizations, or state-sponsored actions. Software now has a large dependency on small open-source libraries. Software bills of material (SBOMs) help, but they are not a cure-all, due to deeply nested levels of dependencies. We get huge lists of (thousands of) automatically detected vulnerabilities from scanning tools, but an inability to address them all. And they may not actually be exploitable. Furthermore, allowing vulnerability scanners access to your entire network can itself open up exposures.
Tenable Proof of Concept: Cyber Exposure Management: 5 Critical Pillars to Quantify and Reign in Cyber Risk
Provides a contextualized view of vulnerabilities. Context, for example: Is it publicly open and does it have secret information? Just knowing the level of severity of the vulnerability itself is not enough. Five “pillars” of solution: 1. asset visibility (i.e., “You can’t protect what you can’t see.”); 2. full view of risks: software vulnerabilities are only part of the story; (mis-)configuration is also a problem ; 3. map relationships between components (e.g., a missing load-balancer will never show up in any vulnerability report, and yet could be a huge risk); 4. understand the business context (i.e., “Is this important to the company?”) Having tags on assets can help in handling this; 5. continuous monitoring, look at trends in reduction of exposures as you address them over time.
Zscaler Proof of Concept: From Complex Routable WANs to Seamless Zero Trust Connectivity
How to connect all workloads? How to secure unauthenticated devices (e.g., POS systems)? Z-scaler is designed to connect workloads to each other, not to the “network” in general. 30% of attacks start from employees at remote locations, and then move laterally to internal systems. WANs are part of the cause. “Z-Connector” runs locally to build tunnels (not a routable WAN). He demonstrated an example of how two branch offices could connection to each other using Z-scaler devices. He showed the web GUI portal to manage branches and policies of how to connect devices. Policies are specific forwarding rules, or general catch-all rules handled automatically by the Z-scaler. He demonstrated proxy access via a browser, showing the Z-scaler SSL certificate. It showed the connection from branch to branch, and it had a GUI to show all access logs.
Elisity Proof of Concept: Redefining Microsegmentation: Elisity’s Identity based Approach to Cybersecurity
Elisity provides context-aware policies for network segmentation. Rather than having agents or special hardware, Elisity is software-based. It provides a highly granular level of device identification and classification. It allows for easy deployment, without disruption to the environment. It classifies devices into groups, and applies and enforces policies. All operation is dynamic, with no configuration required. It leverages several popular asset discovery/identity, and augments them with its own, creating a single source of truth. The PoC demonstration: zoned OT devices at the edge. They defined zones based on tags and “trust attributes”. They showed the GUI, having device attributes, and a policy matrix (source X destination). They demonstrated the system’s ability to show a “what if” scenario.
Demystifying Kubernetes Bill of Materials (KBOM): A Crucial Asset for Enterprise Cybersecurity
A BoM gives users all information about what software they are using, and how it affects them. Kubernets is designed for constant updating, causing difficulties for creating an accurate BoM. There are commercial efforts to create “zero defect” images, digitally signed with BoM. Regulation and oversight is on the upswing (e.g., DoD, President Biden). Currently SBOMs are often of a low quality. SBOM tools are not mature yet. As SBOM creation matures, ROI increases. Some common goals for the future include: streamlining the developer experience, automatic compliance, and accelerated CVE management.
Securing Your Multi-cloud Future with Cisco
Networks are constantly evolving and becoming more complex. Multi-cloud networks are becoming the norm. Spinning up OSs on VMs in the cloud, and deploying apps automatically, often daily, presents more and more problems trying to keep everything secure. This is in opposition to on-premises environments, which can be more fully controlled and monitored. Providing multi-cloud security is accomplished through introducing a layer above the various cloud interfaces to handle security. Above this layer is a SaaS layer, upon which security policies are written. Segmentation of the network is critical, to allow policies for “both source and destination”, and “both ingress and egress”. Using Terraform to automate the setup is becoming more common, providing a single point of management. They also mentioned using PagerDuty, Splunk, and Slack, to help with alerting and incident response. In trying to foresee the future, they are looking into a multi-cloud network security controller. “Better security means easier Ops means lower cost.”
Policy as Code Working Group Update: Exploring Policy-as-Code Use Cases
PaC WG purpose: defining architecture, increasing awareness, focusing on enterprise use cases, but not creating standards or new languages, and not recommending specific technologies. PaC is a “business-enabler,” not a product or a discrete technology. It is a broad topic. PaC WG is developing a common vocabulary. The group had a round-table discussion on various topics: understanding device lifecycle (e.g., end-of-life); maintaining FedRAMP compliance; streamlined with PaC (using Terraform). The ability to re-run (i.e., idempotent) helps with auditing (evaluating), because it can actually demonstrate “as-built” compliance; the WG is looking ahead to formalize this. They discussed how PaC was used for AWS devices to streamline orchestration. Agile development can lead to more requirements for network configuration, compliance, etc. They mentioned putting PaC right into the SDLC pipeline. PaC also aids in configuring for visibility (via Prometheus, DataDog, etc.).
Artificial Intelligence (AI)
NetOne Systems Proof of Concept: Governing the New Technologies like ChatGPT from a Financial/Security Perspective Using PaC in a Hybrid-cloud Environment
NetOne Systems PoC: Governing the New Technologies like ChatGPT. PaC (policy as code). In a hybrid-cloud environment (which are becoming more and more popular nowadays) AI costs increase. PoC demonstration: prototype model to help create governance policies. He used natural language to generate an Ansible playbook, via AI. He then used DataDog to detect the quantity of ChatGPT usage tokens. He showed how the human administrator can intervene to deny access.
Grokstream Proof of Concept: Grok AIOps
Grok AIOps allows you to find problems early in the lifecycle. There are no rules to configure; it’s purely AI. It clusters vulnerabilities, predicts, and classifies. PoC: they showed the UI, with a prioritized queue of alarms, which reduced number of incidents that needed to be addressed. Historical events were shown in a simple list. Next they showed how Grok helps engineers automate fixes. It displayed “closed” notes on how problem was resolved over time.
Navigating the twists and turns of your Enterprise Networking adventure? F3 Technology Partners is here to be your friendly guide, ready to answer your queries and assist you on the exciting next leg of your journey. Let’s chat and embark on the path to success together!
