Software-defined protection

Software-defined Protection (SDP) is a computer networking security architecture and methodology that combines network security devices and defensive protections that leverage both internal and external intelligence sources.[1] An SDP[2] infrastructure is designed to be modular, scalable and secure. The SDP architecture partitions the security infrastructure into three interconnected layers. The Enforcement Layer inspects traffic and enforces protection within well-defined network segments. The Control Layer generates security policies and deploys those protections to enforcement points. The Management Layer orchestrates the infrastructure and integrates security with business processes. The SDP architecture supports traditional network security and access control policy requirements, as well as the threat prevention required for enterprises implementing technologies such as mobile computing and Software-defined Networking (SDN).

Enforcement Layer

The Enforcement Layer of SDP enables organizations to design segmented networks, implement physical and virtual security enforcement points based upon that segmentation, and execute the protection logic for the prescribed network segments.

SDP incorporates the principal of segmentation into the Enforcement Layer. Segmentation divides a network into compartments that have different security characteristics. Based upon segment requirements, security controls are established for threat containment and recovery. Enforcement points, or platforms for executing protections, must then be implemented at the boundaries of the segments to enforce the defined protection logic. Enforcement points may be implemented as network security gateways, host-based software, mobile device applications, or virtual machines in the cloud.

Control Layer

The Control Layer is the core of the SDP architecture. Its role is to generate protections and deploy them for execution at the appropriate enforcement points within the Enforcement Layer. To develop the appropriate protections, the Control Layer relies upon repositories of data that include knowledge of the organization and its information systems (Access Control), knowledge of data assets and their classifications (Data Protection) and knowledge of threats (Threat Prevention). Security Solutions commonly implemented within the Control layer include Firewall, Anti-Virus, Application Control, Threat Emulation, Anti-Bot, Anti-Spam and email security, Data Loss Prevention (DLP), and Intrusion Prevention Systems (IPS). Through systematic mapping of these protective controls to the associated risk for each segment and its assets within the Enforcement Layer, organizations can deliver multi-layer protection against attacks.

Management Layer

The Management Layer serves as the interface between network administrators and the other two layers of the SDP infrastructure. This layer supports the enterprise segmentation and enables the definition of access and data control policies and the activation of threat prevention separately. The Management Layer also provides the ability to delegate management to specific administrators who can work with them simultaneously. The Management Layer provides visibility into what is happening in the network, supports proactive incident response, and provides the intelligence required to tailor security controls for the organization.

References