Bringing Modern Software Methodologies to Security Policy Development

Bringing Modern Software Methodologies to Security Policy Development
20 Jan '15 Posted by Ana Bombarelli

(Published in Cisco Communities on January 19, 2015. Author: Sergio Pozo)

At the earliest days of Intelliment, we did a lot of customer interviews showing different pieces of technology to potential customers. During that interviews, one question that was always in our heads was why security policies are still today managed as has been done in the last thirty years.

Think about it, in the traditional software development problem space, as computer software became complex, new software development methodologies and languages to support them were needed in order to get things done in an easier and more agile way, raising people productivity, improving code understandability and maintainability, and reducing software errors. These are the drivers that leverage the adoption of new methodologies and programming languages.

 So why for security policies a low level, vendor-specific, complex and error prone language is still the “best” way to develop security policies in (physical or virtual) network devices? With all these languages you can express nearly the same set of concepts. But these languages (and graphical user interfaces that substitute them in most modern devices) are highly tiered to how an specific vendor, or even a product line of a vendor, thinks things should be implemented. Take for example Cisco ASA, IOS and NX-OS product lines.

When asking customers why they are still using an ancient methodology, unfortunately we have never got answers like:

  • Because it is easier
  • Because I am more productive
  • Because what I am doing is understandable and maintainable by myself and by others in my team
  • Because it is less error prone
  • Because it is more secure

 Think again about it: no sole developer today will go back to assembler if there isn’t a really good reason to do. Programming languages have evolved to instruction set neutral entities. Computing is evolving to a hardware-neutral commodity. And even networks are starting to follow this vision with SDN and NFV.

The question is: Is it really impossible to bring all the modern software development methodologies and languages benefits to security policy development? Do you really believe that having been forced to use third party products to audit your policies, improve device performance and to cope with compliance issues really pays off in the long term? Doesn’t this add a new layer of complexity, cost and underperformance of people involved in the management life-cycle?

 Intelliment offers a piece of software (Controller) that has a model of both the network and of the security policies. The user interacts with the model through a Firewall Management product that is built as an app of the Controller. The security policy model is expressed in a topology-neutral easy to understand formal graphical language. Models allow the Intelliment product to run formal methods to diagnose correctness (contractions and compliance problems) and correct them automatically. Once the model is correct, it can be automatically transformed into vendor-specific language configurations and deployed into individual devices in an orchestrated process. Intelliment can be integrated with virtually any device (physical or virtual) that is able to enforce a security policy through an ACL. The main benefits achieved are

  • Improved human resources performance and cost
  • Improved change management agility
  • Reduced to zero misconfigurations
  • Automated change documentation and traceability

SoftwareIS

During first contacts with Cisco, the Intelliment team learned about the different abstractions Cisco is promoting to program their different network devices product lines, and we quickly realized that the integration of Intelliment with the SDN product line was of particular interest: an SDN controller offers built-in network abstractions, a deployment system, events… and this prevent Intelliment to build on itself integrations with the huge product line of Cisco devices. During next Cisco Live in Milan Intelliment will be showing to the world how to implement security policies in an SDN network using flows through an OpenDaylight Controller integration.