Moet het beveiligingssysteem een netwerk zijn?

Recently, while conducting research interviews for a small but rapidly growing business, I encountered for the first time an organization with a “no network provider” network. That is, instead of using Cisco or Dell, or even a white-box solution for switching and routing, the company deployed only Fortinet equipment for its entire network. That is, every network component is part of their security infrastructure.

They build their networks this way not only to build security into its core (which is a good idea in itself), but also to:

Easy to manage: they have a tool which manages every component

Easy to deploy: They only have two or three versions of each device, all the same except capacity and port count

Easily expandable to new locations: every site looks like any other similarly sized site

They keep a small inventory of spare equipment on the shelves to provide quick recovery for all locations. They can also easily use a security operations center as a service and use professional services to handle almost all other network operations. Essentially, their security solution can also become their complete network solution.

They use Fortinet, but they could also go to Versa Networks or Watchguard or other companies.

As security vendors move further into cyberspace, should enterprises embrace their vision?

Yes and no.

On the plus side, there are some clear benefits centered around operational simplicity and ease of management to having a single vendor and a minimum number of device types that make up a converged network/security stack. What’s more, putting security at the core of the network should greatly reduce, if not make, the likelihood of a disconnect between security policy and network practices, which is so common in environments where security and connectivity are separated.

The downside is that any monoculture in IT makes the infrastructure more susceptible to the weaknesses of the chosen platform and vendor issues. If there is a security vulnerability in the operating system of a core device, the entire network and all locations can be attacked simultaneously and in the same way—one attack compromising them all. If security had a separate infrastructure layer, it would be possible to mitigate problems in the security layer by changing the configuration of the network layer, just as the security layer mitigates risks in the network. If a vendor is acquired by another vendor or acquires another vendor, support for the entire connectivity infrastructure will be at risk during the transition period.

The flip side of having a chokehold when things go wrong is having less leverage in price negotiations and potentially higher costs. The more you rely on one supplier for something, the harder it is to up the ante and switch to a new supplier.

The appeal and real benefits of making security systems part of the entire network are most apparent for small and medium-sized companies. They are more likely to have uniform and relatively simple needs and are sparsely staffed. They are more likely to struggle to afford, attract and retain the talent they need in security and networking. So there is only one platform that can become an expert, one that can train new employees or outsource management and allow them to make the most of existing employees.

For large companies, the benefits are less obvious. These tend to have more complex environments and requirements and are less likely to tolerate the risks of a single culture because they are better able to staff and support hybrid ecosystems.

So, should a security system be a network? For smaller organizations, it looks doable given the caveats above. For most large organizations, I think the answer right now is no. Instead, they should focus on making their network systems a larger part of their security infrastructure.

Network switches can and should play a central role when implementing a zero-trust architecture (as everyone should) or SD-LAN or deploying a software-defined perimeter (SDP). The switch should be the policy enforcement point for policies that are defined and managed in some kind of security policy engine. They should be able to do this even if they are not from the same vendor, let alone the same security vendor.

Neem contact met ons op