Application Defined Network

An Application Defined Network (ADN) is a style of enterprise data network that uses virtual networks and security components to provide a logical network for applications. This allows customized security and network policies to be created to meet the requirements of that specific application. ADN technology allows for simple physical architectures with fewer devices and less configuration and integration. Usage of ADNs help corporate data centers, cloud services, and third-party networks securely and cost-effectively. Some ADN solutions integrate 3G or 4G wireless backup services to enable a second internet connection when connectivity is lost on the primary access connection. The ADN design provides an application-to-application (A2A) based model instead of S2S (site-to-site) model.

ADN fundamentals

edit

ADN solutions address the need to enable multiple different applications, such as guest Wi-Fi while securing regulated applications such as payment on the same network. Traditionally, in S2S networks, having multiple applications introduces security policy conflicts. Technologies, such as guest Wi-Fi, mobile payment and cloud services open the traditional private network to outside security threats and create complexity in security policies and network administration. ADNs can be customized with security features that address specific application needs. They can also be enhanced with performance and reliability features such as traffic management for application prioritization and fail-over for backup connection services.

For ADNs, complexity breeds vulnerability. They reduce complexity and the cost of multiple device investment, management, configuration, integration, problem isolation, and resolution. ADNs are typically enabled on a secure appliance at distributed enterprise locations. These locations integrate with a cloud network to connect applications to corporate data centers, cloud services, payment gateways, and partner networks. ADNs eliminate the potential for route conflicts, security cascades across applications, and problem cascades caused by one application misbehaving and affecting other applications on the same network.[1]

  • Route Conflicts – traditional S2S networks facilitate multiple applications over single connections (ex. VPNs, MPLS VPNs, and Ethernet) and require complex security rules to partition applications from one another. Simple errors in device configurations can create routing problems that can breach strict security and compliance-based applications such as PCI-DSS[2] and HIPAA[3] certifications. The ability to completely segment these applications into their own discrete ADN removes the complexity of managing multiple security partitions across many locations.
  • Security Cascade – traditional S2S networks are subject to security bleed when a network segment that is open to the Internet gets breached. advanced persistent threats (APTs) are becoming more frequent, effective, and damaging. The damage occurs when the threat roots inside the breached segment and stealthily probes entry points into other network segments. Several security breaches have been the result of this security cascade, where vulnerability between network segments is exploited. ADNs eliminate the ability for a security breach to cascade between network segments and applications by compartmentalizing applications into secure and isolated networks.[4]
  • Problem Cascade – On a traditional S2S network, when a specific problem in an individual application's configuration results in abnormal behaviors, the problem ends up affecting all other applications on the network. Essentially, one application misbehaving results in all applications being affected and the entire network being compromised. Isolating the root of the problem becomes extremely difficult and time-consuming when a network is in chaos, or completely down. On an ADN, problems are isolated to the specific application's network, allowing for simpler fault isolation and resolution.

ADNs are logically defined virtual networks that extend from application enablers to application gateways. ADN solutions combine the ability to define specific LAN segments with an actual ADN. This provides the ability to extend the ADN through the LAN to a specific interface on the application enabler (POS system, server, etc.). An assigned zone will lock down a specific LAN port to a specific use. For example, serial port 1 could be assigned to the payment ADN/LAN segment only. Consequently, no other devices can use that specific LAN port, and if an unauthorized device is plugged into this zone, it will not work. This provides both physical and logical security protections against unauthorized use of ports.

The ADN then facilitates the connection from the specific LAN port over the public broadband connection independently of any public IP addressing. The ADN is then authenticated inside the cloud and transported to the destination application gateway. This provides an end-to-end application enabler to an application gateway network that is independently defined, both physically and logically. The application gateway can reside within the corporate office or data centers, cloud service providers, partner networks, or virtually anywhere.

Application-to-application (A2A) networks remove S2S limitations by defining the network architecture at the application level. A2A networks enable the enterprise network to securely connect to any application, no matter where it resides. A2A networks free the enterprise network from burdensome controls and restricted hub and spoke traffic patterns, by facilitating any-to-any traffic patterns based on the specific needs of the application itself. Companies no longer have to overspend by purchasing application licenses and building the application within their data centers, so do not have to incur all the associated capital, network and IT resource costs. A2A networking helps companies efficiently deploy multiple applications using cloud services that address needs, such as improved customer value[buzzword], operational efficiencies, and product differentiation.[5]

Security

edit

ADNs simplify security by establishing discrete independent networks that do not require complex security rules to partition traffic types. ADNs reduce the risk of human error in maintaining complex access control lists (ACLs) across many sites, which can create security vulnerabilities. For example, if an ADN with public Internet access is breached by an outside party, the ability of the breach to bleed between ADNs, such as a payment ADN, is eliminated.

ADN standard security features include firewalls, intrusion detection, logging, wireless scanning, content filtering, access control lists, multi-factor authentication, Advanced Encryption Standard (AES) encryption and compartmentalization. Additional custom security features can also be easily deployed such as HTTPS filtering, security information and event management (SIEM), or any best-of-breed security application hosted on virtual servers within the cloud.

References

edit
  1. ^ "PCI-DSS : You gotta Keep Em Separated!". 11 February 2011.
  2. ^ "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards".
  3. ^ "Health Information Privacy". 26 August 2015. Archived from the original on 6 December 2015. Retrieved 8 September 2017.
  4. ^ Cascading failure
  5. ^ [1] McKinsey & Company. (2020). Cloud-based innovation: Improving customer experience. [2] Gartner. (2022). Operational Efficiency in Cloud Computing. [3] Forrester Research. (2020). Cloud Computing: A Key Driver of Product Differentiation.