Where Networks Need to Go
In 2017, a fish tank was the beachhead for a cyber attack on a casino. Hackers breached a PC that was monitoring its basic operation (temperature and other data), and from there, traversed the casino’s network to systems that held much more sensitive information. The hackers exfiltrated about 10GB of data to a device in Finland.
All because an innocuous fish tank was connected to the casino’s network.
Are you working on a network right now that has a fish tank on it, figuratively speaking? Almost certainly. Nearly every enterprise network today is under constant attack from hackers aiming to either steal its data or cripple it, by any avenue possible.
The stakes are immense for network managers, not to mention the businesses, customers, governments, and other groups that rely on them.
It’s not like this type of threat came out of nowhere. For years we’ve been seeing attacks in which hackers compromise an innocuous networked device, and transverse the system from there to reach more valuable targets.
Gotta Keep ’em Separated
A reasonable person might ask: Why would a fish tank have any access at all to a network with business-critical data or systems on it? Shouldn’t it be on a different network from critical business devices?
Unfortunately, for most organizations it would be impractical and inefficient to put different devices or users on physically separate networks. It’d be like giving each team working in a building their own private hallways. We all share the same underlying infrastructure.
For years (seriously, decades) network managers have been using different methods to logically wall off some users and devices from others. Keeping IoT devices, for example, on a different “virtual network” from employee laptops is a good first step to keeping networks secure. A robust network segmentation strategy can prevent a hacked device from accessing, or even seeing, other devices on a network.
On today’s networks, where mission-critical machines co-exist with employee-owned devices (smartphones) and an exploding number of IoT devices like sensors and industrial controls, keeping devices on the right virtual network segment is even more important.
But as networks get larger and more complex, the tools we have been using for managing network segmentation are straining under the load. Most network managers have to individually manage the pieces of their network hardware, and keep track of byzantine rules uploaded into each one, in order to keep networks secure. One slip-up — which might not be obvious — and you end up with your own Fish Tank Problem.
There is a better way
In 2017, Gartner popularized the phrase “Intent-based networking” to illustrate a new philosophy for dealing with modern networks. In brief, the idea of intent-based networking is that a network manager can define what the network is intended to do (for example, “keep industrial control systems separate from financial databases,” or, “make sure the CEO’s videoconference calls always get the best possible bandwidth, no matter which office they’re using”) and have the network software and hardware automatically manage itself to achieve those intents.
There are a lot of technical and organizational challenges to intent-based networking. But it is where we need to go. There are literally too many new devices coming online for us to manage their connections the old way. We must move to a more manageable system for running our networks.
Along the way, intent-based networking gets network managers much better visibility into what their networks are doing, and it lets them track devices as they move around inside the network. It also makes it easier to keep an eye on external attacks.
Cisco has officially been in the intent-based networking game for about a year now (we’ve been working on the technology for much longer), and we have a lot to share and teach about our journey. I’ll be covering those lessons, how they’re affecting the products and services we’re developing, and where I see networking going in the future, in upcoming stories.
