Application Defined Network

From Wikipedia, the free encyclopedia

Application Defined Network (ADN) is an enterprise data network that uses virtual networks and security components to provide a dedicated logical network for each application. This allows customized security and network policies to be created to meet the requirements of that specific application. ADN technology allows for a simple physical architecture with fewer devices, less device configuration and integration. ADN solutions simplify businesses' need to securely deploy multiple applications across the enterprise footprint and partner networks, regardless of where the application resides. ADN platforms provide policy-based, application-specific delivery to corporate data centers, cloud services and third-party networks securely and cost-effectively. Some ADN solutions integrate 3G/4G wireless backup services to enable a second internet connection automatically and instantly when connectivity is lost on the primary access connection. The ADN design provides an application-to-application (A2A) based model that evolves enterprise networks beyond the site-to-site (S2S) private model.

ADN fundamentals[edit]

ADN solutions addresses the need to enable multiple different applications, such as guest Wi-Fi (Hotspot) while securing regulated applications such as payment on the same network. Traditionally, in site-to-site networks, having multiple applications introduces security policy conflicts. Technologies, such as guest Wi-Fi, mobile payment and cloud services open the traditional private network to outside security threats and create complexity in security policies and network administration. ADNs can be customized with security features that address specific application needs. They can also be enhanced with performance and reliability features such as traffic management for application prioritization and fail-over for back-up connection services.

Complexity breeds vulnerability. Application Defined Networks (ADNs) reduce complexity and the resulting costs of multiple device investment and management, configuration, integration, and problem isolation and resolution. ADNs are typically enabled on a secure appliance at distributed enterprise locations. These locations integrate with a cloud network to connect applications to corporate data centers, cloud services, payment gateways and partner networks. ADNs eliminate the potential for route conflicts, security cascades across applications, and problem cascades caused by one application misbehaving and affecting other applications on the same network.[1]

  • Route Conflicts – traditional site-to-site networks facilitate multiple applications over single connections (ex. VPNs, MPLS VPNs, and Ethernet) and require complex security rules to partition applications from one another. Simple errors in device configurations can create routing problems that can breach strict security and compliance-based applications such as PCI-DSS[2] and HIPAA[3] certifications. The ability to completely segment these applications into their own discrete ADN removes that complexity of managing multiple security partitions across many locations.
  • Security Cascade – traditional site-to-site networks are subject to security bleed when a network segment that is open to the Internet gets breached. Advanced Persistent Threats (APTs) are becoming more frequent, effective and damaging. The damage is occurring when the threat roots inside the breached segment and stealthily probes entry points into other network segments. Several security breaches have been the result of this security cascade where vulnerability between network segments is exploited. ADNs eliminate the ability for a security breach to cascade between network segments and applications by compartmentalizing applications into secure and isolated networks.[4]
  • Problem Cascade – On a traditional site-to-site network, when a specific problem in an individual application's configuration results in abnormal behaviors, the problem ends up affecting all other applications on the network. Essentially, one application misbehaving results in all applications being affected and the entire network being compromised. Isolating the root of the problem becomes extremely difficult and time-consuming when a network is in chaos, or completely down. On an Application Defined Network, problems are isolated to the specific application's network, allowing for simpler fault isolation and resolution.

ADNs are logically defined virtual networks that extend from application enabler to application gateways. ADN solutions combine the ability to define specific LAN segments with an actual ADN. This provides the ability to extend the ADN through the LAN to a specific interface on the application enabler (POS system, server, etc.). An assigned zone will lock down a specific LAN port to a specific use. For example, serial port 1 would be assigned to the payment ADN/LAN segment only, and no other devices can use that specific LAN port, and if an unauthorized device is plugged into zone 1, it will not work. This provides both physical and logical security protections against unauthorized use of a port.

The ADN then facilitates the connection from the specific LAN port over the public broadband connection independently of any public IP addressing. The ADN is then authenticated inside the cloud and transported to the destination application gateway. This provides an end-to-end application enabler to an application gateway network that is independently defined, both physically and logically. The application gateway can reside within the corporate office or data centers, cloud service providers, partner networks or virtually anywhere.

A2A[edit]

Application-to-application (A2A) networks remove site-to-site (S2S) limitations by defining the network architecture at the application level. A2A networks open the enterprise network to be able to securely connect to any application, no matter where it resides. A2A networks free the enterprise network from burdensome controls and restricted hub and spoke traffic patterns, by facilitating any-to-any traffic patterns based on the specific needs of the application itself. Companies no longer have to overspend by purchasing application licenses and building the application within their data centers, and incur all the associated capital, network and IT resource costs. A2A networking helps companies efficiently deploy multiple applications using cloud services that address needs, such as, improved customer value[buzzword], operational efficiencies and product differentiation.[citation needed]

Security[edit]

ADNs simplify security by establishing discrete independent networks that do not require complex security rules to partition traffic types. ADNs reduce the risk of human error in maintaining complex Access Control Lists (ACLs) across many sites which can create security vulnerabilities. For example, if an ADN with public Internet access is breached by an outside party, the ability of the breach to bleed between ADNs, such as a payment ADN, is eliminated.

ADN standard security features include firewall, intrusion detection, logging, wireless scanning, content filtering, access control list, multi-factor authentication, Advanced Encryption Standard (AES) encryption and compartmentalization. Additional custom security features can also be easily deployed such as HTTPS filtering, Security and Event Management (SIEM), or any best-of-breed security application hosted on virtual servers within the cloud.

References[edit]

  1. ^ "PCI-DSS : You gotta Keep Em Separated!". 11 February 2011.
  2. ^ "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards".
  3. ^ "Health Information Privacy". 26 August 2015. Archived from the original on 6 December 2015. Retrieved 8 September 2017.
  4. ^ Cascading failure