Making the network the best line of defense from the inside out
- By David Mihelcic
- Nov 06, 2017
“If it’s connected, it can be infected.” It’s a mantra that government IT professionals have learned to live by over the past few years, as bring-your-own-device, the internet of things and other factors have exposed federal networks to increasingly sophisticated threats.
In this world, the old rules of protecting the network perimeter at all costs are insufficient. Threats exist everywhere -- both inside and outside the organization -- and every connected device offers an entry point for hackers or malicious insiders. It’s no longer about keeping the enemy out, but about being able to quickly identify, respond to and contain threats, wherever they may be.
Given this precarious situation, agencies must find better ways of protecting their networks and data while effectively managing the myriad security tools in their arsenal. Ironically, doing this should start and end right at the place agencies are fighting to protect: the network itself.
The network as the first line of defense
By creating a software-defined secure network, agency IT professionals can turn every component of their network into a security enforcement point. Those components can be physical, virtual, cloud applications and more. In case of a security incident, they can be called upon to alert IT teams of the impending danger, detecting and preventing threats from both inside and outside the network perimeter.
With software-defined secure networking, network components become sensors for delivery of context-aware threat alerts and active participants in security policy enforcement. For example, firewalls, both virtual and physical, become right-sized for their application on the network to provide consistent, automated defense no matter the environment. Although it consists of multiple devices, the entire infrastructure is managed as a single enforcement domain, where policy can be used dynamically across devices to block threats wherever they may occur.
Building the foundation for this approach requires a step-by-step process. Let’s take a look at each of these steps, all of which are critical to building a complete and truly secure network from the inside out.
Step 1: Reduce the complexity of security management
Increasingly complex security landscapes with dozens (if not hundreds) of devices feature multiple points of policy control and potentially hundreds of thousands of enforcement points that may not necessarily share information. These environments can be exceptionally frustrating and difficult to manage, requiring enormous effort on the part of federal IT professionals.
The first step in implementing a software-defined secure network is simplifying these onerous infrastructures. Agencies should consider centralizing policy, management and visibility so that relatively small teams of skilled professionals can more easily handle security. Teams should be able to manage many devices and threats from a single viewpoint, which can help them better administer highly dispersed and heterogeneous environments.
Step 2: Automate security as much as possible
Automation takes the threat response off the shoulders of security teams by enabling the network itself to respond to and remediate potential threats in real-time. Systems can stream data for real-time analysis and share this information across system boundaries. Correlating data with events allows for an unparalleled level of detection and can help teams uncover threats that may otherwise have gone unnoticed.
Meanwhile, the information and intelligence gleaned from a single incident can be used to prevent future attacks. By combining automation with machine learning, agency teams can build strong, real-time security postures that can evolve along with threats, helping them keep a step ahead.
Step 3: Contain threats using all means necessary
The core piece of the software-defined secure networking strategy -- the ability to use all network components to combat threats -- is actually the last step in the process. It can only be done if the groundwork for centralized control and automation has already been laid.
Upon completion of this last, key step, federal IT professionals will have an extraordinarily powerful security program at their disposal. Consider, for example, what might happen if an internal user accidentally downloads ransomware or malware and the agency was using only traditional perimeter security? That incident might fly well under the agency’s security radar. However, with a unified, automated and software-defined secure network, the threat could be immediately contained, and the offending endpoint quarantined and tracked.
Combatting radically evolving threat vectors requires agency IT professionals to stop thinking about security from the perimeter and start using every means at their disposal to fight both internal and external threats. That starts -- and ends -- with their networks.
David Mihelcic is the Head of Federal Strategy and Technology supporting the Juniper Networks Federal sales, engineering, and operations teams. In this role, David is responsible for supporting the design and implementation of automated, scalable and secure networking solutions that meet government customer expectations, satisfy technical and certification requirements, and support global government missions.
David joined Juniper Networks in February 2017 following 18 years with the Defense Information Systems Agency (DISA), where he retired as Chief Technology Officer, a position he held for more than 12 years. He served as the DISA senior authority on scientific, technical, and engineering matters and developed the DoD’s enterprise-wide systems engineering (EWSE) process and plan. He also established DISA’s board for facilitating and governing cross-program integration and synchronization.
Prior to his appointment as CTO, David held positions of increasing responsibility, including Deputy Program Director and Chief Executive Engineer for the Global Information Grid Bandwidth Expansion (GIG-BE) Program. In this role he was the technical authority for the $800+ million expansion of DoD terrestrial communications and was responsible for defining the GIG-BE architecture and leading the technical aspects of the program. Previously he was Chief Executive Engineer for the Defense Information System Network (DISN), Commander of the Center for Horizontal Integration, and DISA Deputy Chief Executive Engineer for Information Processing.
David was appointed to the Federal Senior Executive Service at DISA in 1999 and in 2007 he was selected to receive the Presidential Rank Award in recognition of a sustained record of exceptional professional and technical performance. Before joining DISA, David led the Network Security Section of the Naval Research Laboratory and was a Senior Consultant with SRI Consulting.
David is a graduate of the University of Illinois at Champaign-Urbana where he earned a Bachelor of Science degree in Electrical Engineering.