John Burke

Author Archives: John Burke

Don’t let automation break change management

The drive to automate more and more network operations is a good thing, but it exposes a need for network teams to ensure their change-management processes are in order.Networks are doing more, becoming integral to zero-trust security architectures, for example, and to end-to-end enterprise optimization endeavors. Networks are also connecting more things than ever: Mobile devices and IoT nodes continue to proliferate outside data centers and IaaS environments, while inside the enterprise, VMs and containers and separate environments segregating groups of them from each other for security purposes continue to proliferate.To read this article in full, please click here

How to manage scripts that manage network automation

Most major network outages happen as a result of human error, not equipment failures—mistakes in the settings themselves, missed steps in a sequence, steps taken out of order, etc. Automation through scripting is meant not only to speed up network operations activities but, as importantly, to reduce the chance of such mistakes by ensuring consistency. A script executes the same steps, in the same order, every time.Ad-hoc, scripting, or programmatic automation doesn’t eliminate the possibility of error, of course. It does limit the scope of the mistakes to the programs themselves, and robust testing should uncover most of them before they have a chance to be put into production. And, should a mistake get through and result in a bunch of misconfigured switches, there is one place to fix it—the script—that also provides the means of correcting the problem at machine speeds.To read this article in full, please click here

The case for declarative network automation

Nemertes recently looked at how organizations with larger networks—specifically Cisco-heavy networks—implemented network automation. The results were a bit surprising in that less than 20% use Cisco’s flagship DNA Center network controller and management dashboard that can automate provisioning and change management.On the other hand more than 40% roll their own automation solution using various forms of imperative scripting or programming (mostly Python), and about 50% engage a different model instead of or in addition: declarative automation.To read this article in full, please click here

Zero trust requires network visibility

In a zero-trust environment, trust is not static. Behavior has to be visible for trust to persist.One of the most important differences between old thinking on networking and the zero-trust mindset is the inversion of thinking on trust. Pre-ZT, the assumption was this: Once you get on the network, you are assumed to be allowed to use it any way you want until something extraordinary happens that forces IT to shut you down and remove your access. You are assumed broadly trustworthy, and confirming that status positively is very rare. It is also very rare to have that status revoked.To read this article in full, please click here

Zero trust requires network visibility

In a zero-trust environment, trust is not static. Behavior has to be visible for trust to persist.One of the most important differences between old thinking on networking and the zero-trust mindset is the inversion of thinking on trust. Pre-ZT, the assumption was this: Once you get on the network, you are assumed to be allowed to use it any way you want until something extraordinary happens that forces IT to shut you down and remove your access. You are assumed broadly trustworthy, and confirming that status positively is very rare. It is also very rare to have that status revoked.To read this article in full, please click here

Use zero trust to fight network technical debt

Zero trust (ZT) is a mindset and a method, not a technology. The current push to adopt ZT is driven by an urgent and growing need to make a major leap forward in risk management and attack containment in enterprise networks, a need driven home by every successive wave of ransomware. IT can use the urgency of moving to ZT to root out some of the technical debt in the environment. Specifically, it can be a catalyst to find areas exempted from network and network security standards and bring them up to date under the new paradigm of zero trust.No more exempting network components from access-control roles In a ZT environment, the network not only doesn’t trust a node new to it, but it also doesn’t trust nodes that are already communicating across it. When a node is first seen by a ZT network, the network will require that the node go through some form of authentication and authorization check. Does it have a valid certificate to prove its identity? Is it allowed to be connected where it is based on that identity? Is it running valid software versions, defensive tools, etc.? It must clear that hurdle before being Continue reading

Use zero trust to fight network technical debt

Zero trust (ZT) is a mindset and a method, not a technology. The current push to adopt ZT is driven by an urgent and growing need to make a major leap forward in risk management and attack containment in enterprise networks, a need driven home by every successive wave of ransomware. IT can use the urgency of moving to ZT to root out some of the technical debt in the environment. Specifically, it can be a catalyst to find areas exempted from network and network security standards and bring them up to date under the new paradigm of zero trust.No more exempting network components from access-control roles In a ZT environment, the network not only doesn’t trust a node new to it, but it also doesn’t trust nodes that are already communicating across it. When a node is first seen by a ZT network, the network will require that the node go through some form of authentication and authorization check. Does it have a valid certificate to prove its identity? Is it allowed to be connected where it is based on that identity? Is it running valid software versions, defensive tools, etc.? It must clear that hurdle before being Continue reading

Zero trust requires clear architecture plans before changing core systems

Zero trust touches everything: identity, applications, networks, data, and devices. The best approach is not to change everything all at once. Instead, start with the big picture.In our research, we’ve found the most successful organizations dedicated the first phase of their zero-trust initiatives to working out an architecture. They didn’t rush into deploying solutions as though starting with a greenfield.Everyone else dove in fast, mixing the foundational work on zero trust with one or more of the knock-on efforts: rearchitecting networks, security, and data management; buying tools; forming implementation teams and setting them to work. All those things need to happen, of course, but with zero trust, it pays to do a lot more thinking about how all the pieces will fit together before undertaking the changes needed, either at the architectural level or in the tool set.To read this article in full, please click here

Zero trust requires clear architecture plans before changing core systems

Zero trust touches everything: identity, applications, networks, data, and devices. The best approach is not to change everything all at once. Instead, start with the big picture.In our research, we’ve found the most successful organizations dedicated the first phase of their zero-trust initiatives to working out an architecture. They didn’t rush into deploying solutions as though starting with a greenfield.Everyone else dove in fast, mixing the foundational work on zero trust with one or more of the knock-on efforts: rearchitecting networks, security, and data management; buying tools; forming implementation teams and setting them to work. All those things need to happen, of course, but with zero trust, it pays to do a lot more thinking about how all the pieces will fit together before undertaking the changes needed, either at the architectural level or in the tool set.To read this article in full, please click here

5G wireless WAN will have benefits beyond 4G WWAN

With all the discussion about the positive impacts 5G can have on internet access for individuals and businesses, it’s vital that network engineers keep in mind that 5G’s not the only cellular option for enterprise WANs—4G already delivers many of those benefits.Nemertes did research with organizations that have made significant commitments to 4G-based wireless in their WANs and identified four common use cases across the organizations. Each of those uses will be improved in several ways with the coming broad availability of 5G. Let’s take a look.To read this article in full, please click here

How wireless WAN can make SD-WAN more agile and resilient

Wireless WAN has begun to rise in availability and utility, and to improve in affordability. It brings wide-area connectivity to just about any physical space and can hit speeds far in excess of older single or multiple T1 links and DSL.It has its challenges to be sure, and the biggest ones are centered on the business model. It is hard to get a WWAN connection priced the same way a wired connection is: paying for a given speed, with no arbitrary limit on how many bits can be transferred in a billing period.SD-WAN buyers guide: Key questions to ask vendors So IT teams using WWAN are typically faced with two unpleasant options: a) either pay a flat rate but, when a threshold number of bytes is hit, face a sharp decrease in speed; or b) pay a per-gigabyte overage fee for usage past the threshold. Sometimes carriers want to push both options—decreased speed and pay-by-the-drink overage costs.To read this article in full, please click here

Rethinking the WAN: Zero Trust network access can play a bigger role

The WAN as initially conceived was about one simple job: the WAN was the network that “connects my sites to each other.” That is, the network connecting users in corporate sites to corporate IT resources in other corporate sites or perhaps colocation facilities. It was all inside-to-inside traffic.Over the past decade so much has changed that, just before COVID-19 work-from-home mandates took hold, only about 37% of a typical WAN’s traffic was still inside-to-inside, according to Nemertes’ “Next Generation Networks Research Study 2020-2021”. The rest touched the outside world, either originating there as with remote work against data-center systems or terminating there as with SaaS use from a company site or both as with VPNing into the network only to head back out to a SaaS app.To read this article in full, please click here

Rethinking the WAN: Zero Trust network access can play a bigger role

The WAN as initially conceived was about one simple job: the WAN was the network that “connects my sites to each other.” That is, the network connecting users in corporate sites to corporate IT resources in other corporate sites or perhaps colocation facilities. It was all inside-to-inside traffic.Over the past decade so much has changed that, just before COVID-19 work-from-home mandates took hold, only about 37% of a typical WAN’s traffic was still inside-to-inside, according to Nemertes’ “Next Generation Networks Research Study 2020-2021”. The rest touched the outside world, either originating there as with remote work against data-center systems or terminating there as with SaaS use from a company site or both as with VPNing into the network only to head back out to a SaaS app.To read this article in full, please click here

Software-defined perimeter is a good place to start a rollout of Zero Trust network access

Zero Trust relies on continuously re-authorizing users, applications, and devices to establish myriad “perimeters of one” in the environment, but the name isn’t quite accurate.Zero Trust doesn’t literally mean zero trust; it means zero implicit trust. You—whether that means a person, or a software or hardware system—are not to be trusted simply by virtue of where you are on the network; there is no network perimeter within which you are automatically trusted to connect to services. And you are not to be trusted now just because you were trusted when you first gained access to the network; gaining admission once is not the same thing as ongoing trust. And you are not to be trusted to make the new service connection you are trying to make now just because you were trusted to make the previous one.To read this article in full, please click here

Software-defined perimeter is a good place to start a rollout of Zero Trust network access

Zero Trust relies on continuously re-authorizing users, applications, and devices to establish myriad “perimeters of one” in the environment, but the name isn’t quite accurate.Zero Trust doesn’t literally mean zero trust; it means zero implicit trust. You—whether that means a person, or a software or hardware system—are not to be trusted simply by virtue of where you are on the network; there is no network perimeter within which you are automatically trusted to connect to services. And you are not to be trusted now just because you were trusted when you first gained access to the network; gaining admission once is not the same thing as ongoing trust. And you are not to be trusted to make the new service connection you are trying to make now just because you were trusted to make the previous one.To read this article in full, please click here