security manufacturers have deployed virtualized network
functions. Users can have Cisco or Juniper routing, firewalls by Fortinet, Barracuda or Cisco, and WAN acceleration from Riverbed or SonicWall—entities users know and
trust—all running at line speed on the same commodity
Coupled with NFV, network orchestration enables agility
and elasticity and drastically shortens the timeline required
to react to threats or changing missions. When done correctly, orchestration provides a policy-driven operational
management framework for security, performance and resiliency. It reduces capital expenditures through a self-moni-tored automation approach, providing dynamic bandwidth
to meet changing demand and ensuring network failures
are detected and resolved—all without human intervention.
Orchestration facilitates operational efficiency though the
real-time automation of service, network and cloud delivery.
In an orchestrated network, predetermined policies are
applied when certain conditions are met. For instance, if
suspicious traffic is detected, a new firewall rule can be put
in place to block the offending traffic. Also, routing and
security profiles can be modified automatically as a new
service spins up a virtual machine in the data center. These
policies are not device-specific configuration files painstakingly crafted by network engineers. Instead, the orchestration engine works to find those configuration files and, if
necessary, any new virtual appliances required to implement
the policies and deploys them as needed.
SDN, NFV and orchestration clearly can be applied to the
technical hurdles of C2D2E. Once a commander’s operational needs have been translated into information technology policies, they can be loaded into an orchestration engine
with appropriate triggers and tripwires. When a specific
situation arises, a complete set of configuration changes can
be deployed across a network, on command, either automatically or by an administrator. These include firewall and
routing rule changes, Quality of Service adjustments and
reprioritization and, because orchestration is not limited to
network devices, application server reconfiguration. Today,
providing C2D2E sits at the less complicated end of an SDN
capability. Even network upgrades only require download-ing a new virtual appliance version and pushing it to the
appropriate spot on the network.
There is no reason to stop there. What if a cyber attack
overwhelms the perimeter firewall and sends more packets—and triggers more rules—than the processor can handle? A software-defined and orchestrated network simply
can apply more compute resources to the firewall appliance
or, by evaluating the attack, reconfigure the firewall to process the attack earlier in the rule set and discard the packets
without overloading the system.
When SDN is deployed throughout a network, it makes
more sense to talk about numerous firewalls, deployed
exactly where needed to maximize effect. Security boundar-
ies can be applied flexibly wherever there is an SDN appli-
ance. Tailored response options can be crafted and applied
close to the affected systems. If a new threat is detected that
moves between database servers and domain controllers,
then routing can be modified to place a security device
between the two without making any changes to the perim-
eter, rolling out new hardware or affecting user functional-
ity and infrastructure.
SDN, NFV and orchestration provide the tools necessary to execute what are now incredibly complex problems.
Whether the Navy’s goals are C2D2E, rapid response to
changing cyber conditions or enhanced network security
and resiliency for users, the capability is available, and
industry knows how to supply it.
Cmdr. Jamie Gateau, USN (Ret.), is the director of strategy
and solutions for AT&T Global Business, Public Sector Solutions. He retired after 20 years of service in the U.S. Navy,
first as an aviator and then as an information professional
officer. The views expressed here are his own.
contact: Jamie Gateau, firstname.lastname@example.org
When you need to uncover key evidence buried in digital
data, AccessData® has the advanced tools to help your
agency spend less time managing the process and get back
to super sleuthing. Only AccessData® offers integrated
solutions for incident response, digital forensics and
e-discovery, powered by a single, forensically secure data-
base to help you collect and analyze data more efficiently.
Discover how AccessData helps you conquer your caseload
UNCOVER THE STORY LURKING
IN YOUR DIGITAL DATA