Welcome!

SDN Journal Authors: Liz McMillan, Carl J. Levine, Elizabeth White, Patrick MeLampy, Rene Buest

Related Topics: SDN Journal, Java IoT, Linux Containers, Containers Expo Blog, @CloudExpo, Cloud Security

SDN Journal: Blog Feed Post

Hardening Security through Programmability in the Network

We are blessed with being able to witness the dawn of the age of network programmability.

Despite claims that there exists (or will, look out!) a mythical "god box" for the enterprise data center, capable of performing every data center function imaginable, it remains, well, mythical. Efforts to effectively secure the data center and the applications it delivers therefore requires a collaborative approach between best-of-breed technologies.

But if collaboration across functional IT groups - development, operations, network and security - remains as elusive as nirvana, then collaboration across products has traditionally been seen as likely as sighting the Loch Ness Monster. The arrival of cloud and more recently SDN has changed that, not only encouraging but requiring changes in collaboration capabilities in order to remain considered best-of-breed.

And thus we are blessed with being able to witness the dawn of the age of network programmability.

Promises abound, but real benefits - and implementations - are often hard to find. And if you go looking for examples in the realm of security, you're going to scrounge even harder to find real examples of just how programmability is going to change the game.

Look no further, my friend, for an excellent example can be found here, today, in this post.

Hardened Security and Performance Can Coexist with F5 and Sourcefire

For those of you not familiar with Sourcefire, the recently-acquired-by-Cisco security provider offers two industry leading products: Sourcefire Next Generation IPS (NGIPS) and the FirePOWER Platform. The former provides advanced threat protection, integrating real-time context, intelligent security policy automation and unprecedented performance. Sourcefire NGIPS takes advantage of the best hardware technology in the industry, providing IPS inspected throughput options ranging from 50Mbps to 40+Gbps, providing market- leading performance with greater energy efficiency.

Together, F5 and Sourcefire have validated a deployment architecture that help customers secure critical networks, applications and end-points while achieving optimal performance. This architecture results in a remediation capability that allows critical security events such as malware (FireAMP) and IPS/IDS events to initiate rule configuration for F5 security services, leveraging both the data and control plane programmability interfaces of F5 Synthesis Software Defined Application Services (SDAS). .

F5 Security Services for NGIPS Design
The integration between Sourcefire NGIPS and F5 Synthesis High Performance Services Fabric (HPSF) is enabled through F5's open API, iControl, and its data path programmatic interface, iRules. Because of its topological location in most application architectures, F5 HPSF maintains a strategic point of control. This means all application requests are fielded by F5 Software Defined Application Services (SDAS) such as availability, security and identity and access control.

sourcefire-big-ip-blog

As requests are received, they are first pre-screened for DDoS attacks by F5 SDAS. Then, depending on the policy, the requests are load balanced to a pool of Sourcefire sensors. If the requests are determined to be clean and safe, they are routed back through F5 SDAS and on to the appropriate application.

Sourcefire leverages a correlation rules engine that allows a variety of actions in response to security events. Rules can be very simple or be more powerful by including multiple conditions and qualifiers. Actions include the ability automatically configure rules for F5 security services, such as blocking a device that is originating an attack, or exhibiting some other form of suspicious or unwanted behavior.

Event types supported by the remediation engine include:

  • IPS Events
  • FireAMP (malware) Events
  • Compliance Events
  • Connection Events

Thus, if the Sourcefire sensors detect a problem, they can initiate action using F5's control plane API, iControl, to inject an iRule into the data path that will block the IP address of the client sending the requests.

This kind of integration enables a best-of-breed architectural approach to protecting both the network and the applications it is tasked with delivering. It enables the intelligence of a next-generation IPS to detect anomalies and attacks to be leveraged strategically to defend against and prevent the impact of the advanced threats that have become more and more pervasive.

By enabling immediate remediation actions by programmatically updating F5 security services upon detection of a problem, the entire data center ecosystem is better protected, without compromising on performance.

Additional Resources:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
Zerto exhibited at SYS-CON's 18th International Cloud Expo®, which took place at the Javits Center in New York City, NY, in June 2016. Zerto is committed to keeping enterprise and cloud IT running 24/7 by providing innovative, simple, reliable and scalable business continuity software solutions. Through the Zerto Cloud Continuity Platform™, organizations can seamlessly move and protect virtualized workloads between public, private and hybrid clouds. The company’s flagship product, Zerto Virtual...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Cognitive Computing is becoming the foundation for a new generation of solutions that have the potential to transform business. Unlike traditional approaches to building solutions, a cognitive computing approach allows the data to help determine the way applications are designed. This contrasts with conventional software development that begins with defining logic based on the current way a business operates. In her session at 18th Cloud Expo, Judith S. Hurwitz, President and CEO of Hurwitz & ...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
910Telecom exhibited at the 19th International Cloud Expo, which took place at the Santa Clara Convention Center in Santa Clara, CA, in November 2016. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and exchanges.
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
The IoT industry is now at a crossroads, between the fast-paced innovation of technologies and the pending mass adoption by global enterprises. The complexity of combining rapidly evolving technologies and the need to establish practices for market acceleration pose a strong challenge to global enterprises as well as IoT vendors. In his session at @ThingsExpo, Clark Smith, senior product manager for Numerex, discussed how Numerex, as an experienced, established IoT provider, has embraced a new m...
Niagara Networks exhibited at the 19th International Cloud Expo, which took place at the Santa Clara Convention Center in Santa Clara, CA, in November 2016. Niagara Networks offers the highest port-density systems, and the most complete Next-Generation Network Visibility systems including Network Packet Brokers, Bypass Switches, and Network TAPs.
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, will highlight the current challenges of these transformative technologies and share strategies for preparing your organization for these changes. This “view from the top” will outline the latest trends and developm...
Due of the rise of Hadoop, many enterprises are now deploying their first small clusters of 10 to 20 servers. At this small scale, the complexity of operating the cluster looks and feels like general data center servers. It is not until the clusters scale, as they inevitably do, when the pain caused by the exponential complexity becomes apparent. We've seen this problem occur time and time again. In his session at Big Data Expo, Greg Bruno, Vice President of Engineering and co-founder of StackIQ...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
"We're bringing out a new application monitoring system to the DevOps space. It manages large enterprise applications that are distributed throughout a node in many enterprises and we manage them as one collective," explained Kevin Barnes, President of eCube Systems, in this SYS-CON.tv interview at DevOps at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service. In his session at 19th Cloud Exp...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and 21st International Cloud Expo, which will take place in November in Silicon Valley, California.
In his session at DevOps Summit, Tapabrata Pal, Director of Enterprise Architecture at Capital One, will tell a story about how Capital One has embraced Agile and DevOps Security practices across the Enterprise – driven by Enterprise Architecture; bringing in Development, Operations and Information Security organizations together. Capital Ones DevOpsSec practice is based upon three "pillars" – Shift-Left, Automate Everything, Dashboard Everything. Within about three years, from 100% waterfall, C...
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningf...
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.