December 21, 2023

Rethinking network security via Cisco Software-Defined Access

Chris Day
Principal Consultant - Infrastructure Solutions at Data#3

The transformation of modern networks is an exciting, but challenging frontier in tech. It presents new opportunities to simplify, secure, and enhance network infrastructures to support the business transformation initiatives that are reshaping the way businesses deliver value to customers. However, it’s also challenging due to the complexity of modern networks with multiple layers and protocols, and management tools.

An important benefit of this network transformation is the opportunity to rethink network security from the ground up, rather than as a series of retrofitted overlay solutions that also add unnecessary complexity.

As businesses grapple with the challenges of growing networks and security threats, the shift to software-defined networks continues to gain traction, and Cisco’s Software-Defined Access (SD-Access) is leading the way.

Embracing Catalyst Center

At the heart of Cisco’s solution is the recently renamed Catalyst Center (formerly known as DNA Center), their pivotal network management and command centre.

Cisco Catalyst Center fundamentally transforms network operations by strategically leveraging Artificial Intelligence (AI). The platform facilitates secure and efficient connections, thereby promoting seamless interaction between users, applications, and systems. This robust management system ensures consistency in user experience across both wired and wireless infrastructures while also simplifying the management of Cisco Catalyst network infrastructure.

The key benefits of Catalyst Center range from operational simplification and cost reduction, achieved through AI and automation, to deep insights into client health and business-critical applications. Security policies are both intuitive and AI-enabled, promoting streamlined compliance checks. Equally noteworthy is the enhancement of digital enterprise agility via process automation, which harnesses the full potential of both Cisco and third-party ecosystems.

Additionally, Catalyst Center also improves the network’s security posture by reducing attack surface, rectifying vulnerabilities, and adhering to zero-trust principles for network access. Catalyst Center is compatible with virtual appliances and can be deployed on both AWS and VMware. The platform’s strategic combination of operational efficiency, security, and sustainability signifies Catalyst Center’s evolution into a modern, versatile system that can smoothly replace the now-obsolete Cisco Prime.

Software-defined access defines a new era

Organisations deploying Catalyst Center can take advantage of Cisco SD-Access – a game-changer in terms of network topology. Its architecture pivots around a single physical network that hosts a pantheon of virtual networks. Multiple tenants or end-users can co-exist on this shared infrastructure without disrupting each other’s operations, amplifying efficiency and minimising redundancy.

Converting traditional hierarchical network architectures to a flat, Layer 3 domain does pose challenges around robust protocol management and troubleshooting. Cisco SD-Access streamlines this process by blending multiple network layers into one, thereby cutting down the redundant running costs associated with managing numerous protocols.

However, it’s the impact of Cisco SD-Access on security that’s of real interest.

Reconstructing the pillars of network security

Network security forms the bedrock for network management, and Cisco SD-Access alters the landscape on this front by decoupling IP addresses from location and opting for tags instead. This innovation simplifies security policy management for both wired and wireless users while redefining traditional security mechanisms.

Cisco SD-Access is also steadfastly committed to the zero-trust model, ensuring enhanced security with its mantra of “never trust, always verify”. Even without enforced security policies, macro-segmentation becomes a natural by-product of Cisco SD-Access, extricating the need for rigorous manual rule deployments. Besides this, network and security policies within virtual networks are managed via micro-segmentation, made possible by the tags.

The underpinning technologies of the Cisco SD-Access zero-trust model

Network fabric and segmentation

Network fabric allows for the creation of several virtual networks, providing different operational environments within a single physical network infrastructure.

The standout attribute is network segmentation, making granular security enforcement possible while isolating different parts of the network. This segmentation:

By adhering to the principles above, Cisco SD-Access reinforces the zero-trust model’s essence, affirming that every aspect of hardening a network contributes to overall security.

Cisco Identity Services Engine (ISE)

The Cisco Identity Services Engine (ISE) serves as a robust tool for managing user and device identities.

ISE continuously profiles endpoints that connect to the network, promoting visibility and control over users and devices. Additionally, ISE enhances the network’s security posture by:

Cisco TrustSec

Cisco TrustSec simplifies the provisioning and management of network access control by classifying, or “tagging”, network traffic into different Secure Group Tags (SGTs) based on the role of the source.

These SGTs enable an administrator to orchestrate granular access controls across the network. This approach supersedes traditional IP address-based access control lists (ACLs), which can become unwieldy in complex network environments.

The efficient implementation of SGTs promotes enhanced control over network access, ensuring that every user or device has precisely calibrated network permissions. It also offers flexibility and security in an intricate ecosystem.

Cisco Catalyst 9000 Infrastructure

Cisco Catalyst switches and access points are foundational elements of the Cisco Catalyst Center Architecture and enable you to optimise the access security across the network.

This powerful high-speed infrastructure is designed to handle a hybrid world where the workplace is anywhere, endpoints could be anything, and applications are hosted all over the place.

Enhancing mobility and IoT security

Innovation extends further to Seamless Layer 2 Mobility and IoT security as Cisco SD-Access eliminates the bottleneck of wireless controllers in wireless mobility. This upgrade enables the edge switches to act as a distributed data plane for wireless mobility, significantly heightening the network’s scale and performance.

With IoT devices proliferating across networks, Cisco SD-Access simplifies IoT and IT integrations through secure authentication and mobility. It offers secure placement for connected devices while safely isolating them from the rest of the network. Thus, IoT devices not only enhance the functionality of the network but do it without threatening security or performance.

Conclusion

Cisco SD-Access is at the forefront of evolving network design principles. It simplifies complex network management while enhancing security and operational efficiency. No matter where you are in your journey, we can help you accelerate your digital network transformation. If you would like to explore Cisco SD-Access, please request a consultation with one of our team.