Intent-based networking offers a completely new take on network deployment, maintenance and security. The concept also provides a new way for people, applications and connected things to use the network. “New users and devices are constantly appearing on the network”, says Frank De Reymaeker, Head of Enterprise Networking at Cisco Systems. “Just think of the Internet of Things. This evolution increases the complexity of network access management. At the same time, the pressure on the application side is increasing as well. More and more companies go for a hybrid approach, linking the company network to Microsoft Azure or Amazon Web Services, for example.”
It is clear that this evolution is not sustainable within the traditional network. As an alternative to manually configuring network access for each device, Cisco prefers intent-based networking. The concept is based on a central controller that automatically deploys the right configuration based on the intent of the user, device or application, automatically applying access rights, security and Quality of Service. “That central controller – Cisco DNA Center (Digital Network Architecture) – is the network’s brain”, De Reymaeker explained. “It automatically deploys every configuration. It ensures that you can adapt the network very quickly and in a standardized way. That saves time and avoids human error.”
User experience and application behavior
In the context of Cisco ISE, assurance is an important point, as the idea of intent-based networking isn’t limited to automated configuration and access management. “We apply the same concept to security,” says Pieter Paul Bonne, Cybersecurity Solution Specialist at Cisco Systems. “First of all, ISE provides automated authentication and authorization. But after the rules for access management are implemented, we continue to monitor the behavior of users, devices and applications.” The network feeds information about that behavior back to ISE. “Unexpected or abnormal data traffic, for example, can trigger an immediate change in the policy for that specific user, device or application. This way, ISE offers a way to quickly detect and contain possible threats.”
What’s more, an intent-based network has a major impact on the operational tasks of the network team. The initial purchase of a network only counts for thirty percent of the total network costs. Seventy percent of the budget goes to operational costs. “As Cisco ISE relies heavily on automation, the solution allows us to reduce these operating costs - such as deployment, configuration and maintenance - by 50%”, says De Reymaeker. In doing so, Cisco kills two birds with one stone. Not only does the solution provide significant savings, it also relieves some of the pressure on the IT network team. These days, a lot of companies have a hard time finding IT staff who have the necessary network and security expertise. However, the most important thing remains the fact that Cisco offers companies a whole new approach to network and security management through intent-based networking. “It’s all about the vision”, De Reymaeker concluded. “With an intent-based network, built on Cisco DNA Center and Cisco ISE, a company can put that new vision into practice, step by step, building a high-performance and secure network at its own pace.”
Keeping an eye on security
Cisco’s very own security policy relies on the expertise of the Talos Intelligence Group: one of the world's largest commercial threat intelligence teams. The team investigates, among other things, the feedback data from Cisco solutions. Talos protects Cisco's customers from a variety of cyber threats, detects vulnerabilities in common software and interdicts threats in the wild before they can further harm the internet at large. “In network security management visibility is essential”, Bonne explained. “You have to be able to see what's happening on the network.” Talos goes so far as to correctly estimate encrypted data traffic. Pieter Paul Bonne: “With 99% certainty, Talos can see whether an encrypted data packet originates from a legitimate application or from malware.” This creates a new situation, where it is no longer encryption that ensures security, but the network itself, as it acts as a sensor for malware detection.