Nuage Networks has recently won Open Networking User Group (ONUG)’s “Right Stuff Innovation” award for excellence in showcasing a comprehensive Proof of Concept (PoC) for the Software-Defined Security Services (S-DSS) Working Group Initiative. This award offers further evidence of Nuage Networks ability to address real-world security issues in a hybrid multi-cloud environment.
Open Networking User Group and Software-Defined Security Services (S-DSS) Working Group Initiative
ONUG and the S-DSS working group initiative views hybrid multi-cloud as a fundamental building block for digital transformation and, consistent with that view, they designed a comprehensive set of PoC hybrid multi-cloud building blocks and test requirements that each prospective vendor candidate was measured on. S-DSS’s position statement best articulates what is expected in today’s security solution,
“The S-DSS working group’s framework consists of a security architecture that is intent based that wraps policy around workloads, independent upon host model that is bare metal, hypervisor, container and serverless. Policy enforcement is local to the workload and independent upon its physical location be it on or off premises”
Nuage Networks Virtualized Security Services
S-DSS’s mission statement is directly in alignment with Nuage Networks philosophy on addressing security for SDN and SD-WAN networks. The approach to security should leverage the policy-driven, secure, automated, and highly scalable nature of software-defined networking (SDN) to address the multifaceted security requirements in dynamic heterogeneous enterprise environments. In fact, one of Nuage Network’s product leaders, Hari Krishnan, wrote a recent blog that describes a better approach to security that aligns with the requirements that ONUG identified as required in today’s enterprise networks. In his blog, Hari concludes that enterprises employ an SDN based software-defined security architecture that addresses each of the following key areas of security – prevention, detection and response:
- Prevention – prevent security breaches from happening by creating policies to segment applications and their workloads and enforce security measures for each segment,
- Detection – leverage contextual flow analytics to understand and visualize the network on a per-application basis in terms of traffic, workloads, and service tiers, with the goal of detecting anomalous traffic and potential security threats,
- Response – scale remediation actions by automating policy driven security triggers such as steering specific traffic flows to advanced security services, or mirroring select traffic flows to intrusion detection systems (IDS) and security analytics tools for further analysis.
Furthermore, Nuage Networks believes that the right platform needs to be able to seamlessly apply these three security tenants across multiple data centers, private and public clouds, and any branch location that is part of an enterprise network. It is also essential that the solution supports a multi-vendor, heterogeneous (i.e. virtualized and non-virtualized), and multi-hypervisor deployment environment. Finally, the right solution needs to be open and pre-integrated with a host of partners across cloud management vendors, service orchestration vendors, public cloud vendors, and key security service vendors.
ONUG’s Software-Defined Security Services Working Group PoC Requirements
The PoC utilized a test environment as outlined in the following diagram.
With this drawing as context the following capabilities were some of the key security features that were showcased by Nuage Networks:
- Hybrid multi-cloud environment – the PoC included two public clouds and a private data center. It includes several service tiers (i.e. layers) that were spread across the three locations of the test bed as depicted in the drawing.
- Heterogenous deployment environment – the PoC setup involved both virtualized (i.e. virtual machines (VM)s and containers) and non-virtualized (i.e. bare metal servers) deployments, and For VM deployments the setup required multiple hypervisors (i.e. ESXi, KVM, and Hyper-V).
- Micro-segmentation – to meet a specific set of communication and access control rules governing the interaction between service tiers and users (i.e. users, database admins, and data scientists), intent-based security policies were created and applied to enforce these rules using embedded stateful L4 firewalls.
- Encryption – traffic flows between specified service tiers were encrypted thus further securing these specific flows.
- Visibility and Analytics – application discovery using contextual flow visualization was demonstrated for each service tier along with showcasing an understanding and visualization of the traffic relationship between each of the tiers.
- Traffic Steering and Port Mirroring – the ability to both steer and mirror traffic on per-application and per-service tier level to another VM or service insertion point to drive further analytics and processing was demonstrated.
- Alerts and Automated Response – alerts were shown to be raised based on exceeding policy-defined Threshold Crossing Alarms (TCA)s as well as showing the triggering of automated policy-defined actions.
- Single Pane of Glass: All POC results were demonstrated from a single platform acting as a single pane of glass in terms of both visibility and API support.
A panel of independent industry analysts served as judges for this event. The judging criteria was broken into three sections. The first section was how closely the vendors POC and capabilities aligned with the S-DSS’s position statement on the desired security framework. The second criteria judged how many different security services each solution provided (access control, traffic steering, visualization, etc.). The third and last criteria judged how easy it was to manage the solution.
Nuage Networks and the Future of Security
Receiving this award is further validation of the philosophy that Nuage Networks builds into its approach to security. Software-defined networks require a software-defined security solution and this approach needs to be deployable to meet the realities of today’s enterprise networks. Specifically, the solution should span across a hybrid of data centers, private clouds, public clouds, and branch locations, support both virtualized and non-virtualized assets, and be open with support for a multi-vendor environment.
With the emergence of the Internet of Things (IOT), Artificial Intelligence (AI), 5G technology, the increased use of Wi-Fi, and more enterprise employee mobility, the industry is rapidly moving toward more unique devices, more endpoints, more traffic and unfortunately much more security concerns. However, with the right technology partner in place these challenges can not only be overcome but can be an opportunity. With significant wins and production deployments, Nuage Networks is committed to maintain its place of leadership as the preferred partner to tackle the future security challenges within SDN and SD-WAN networks. To learn more about Nuage Networks and its security portfolio please visit http://www.nuagenetworks.net/.