Network modernization strategies for federal technologists

Software-defined networking (SDN) is changing how technologists configure switches and routers. Compared to legacy approaches to configuring, managing and upgrading network hardware, SDN provides a centralized platform allowing for a more uniform and streamlined approach to network deployments, software updates, and configuration changes.

As the technology evolves, however, Jeff Colburn, Cisco Certified internetwork Expert (CCIE) and enterprise networking solutions architect for Presidio Federal, sees automation and artificial intelligence (AI) as playing a pivotal role in helping federal agencies meet emerging network needs.

“You have to get automation behind your SDNs. People aren’t satisfied clicking around their graphics user interface to configure their devices — that still takes too much time,” he explained.

As agencies' digital footprints expand, the demand for secure, trusted internet connections is more critical than ever. The widespread adoption of remote work and software-as-a-service solutions has prompted newer engineers to automate existing processes using tools like Ansible and Terraform. While these technologies significantly boost productivity, they also pose potential security risks, as automated systems can inadvertently introduce vulnerabilities.

As data becomes increasingly diffuse, federal attack surfaces will grow, and APTs will look to exploit this vulnerability.

Traditionally, federal leaders utilized perimeter security and macro segmentation strategies to protect against north-south attacks. However, with the increasing risk of lateral (east-west) attacks, Colburn emphasizes that the federal agencies must prioritize the implementation of a zero trust framework.

By focusing on robust zero trust policies, federal agencies lay the groundwork for progress toward key goals and objectives outlined in the Cyber and Infrastructure Security Agency’s (CISA) Trusted Internet Connections (TIC) initiative. 

While secure, trusted internet connections out of federal buildings and data centers were the primary focus of 2.0, TIC 3.0 homes in on the need for trusted connections into federal workspaces. Remote workers, applications and sensors should be able to access data without backhauling to a centralized location. For example, if a user tries to access their agency’s version of Microsoft Office 365, there should be no reason to send them through a data center in Chicago when they reside in Washington, D.C.

With security protocols set in one spot, agencies can screen inbound and outbound connections, but even in this environment, physically monitoring every aspect of an agency’s network is challenging. Security Access Service Edge (SASE) devices work to balance the need for speed and security by providing federal agencies with a singular checkpoint for a diffuse model of data, devices and people. 

“Backhauling to a data center and then going out to a trusted internet connection is inefficient,” Colburn said. “To achieve TIC 3.0 compliance, federal agencies must establish local internet connections and decentralize their security with either on-prem or SASE services.”

Cisco Meraki’s role in supporting TIC 3.0 compliance 

At Cisco Meraki, subject matter experts are working to build solutions that meet emerging mission needs, starting with a focus on SASE integration for on-premises and cloud-based edge devices. 

Compliance with TIC 3.0 standards requires secure internal and external connections. However, while backhauling data to a centralized location across MPLS circuits may have been secure, this causes unnecessary latency and potential performance issues when accessing cloud-hosted applications.

Cisco Meraki solves this problem by allowing users to quickly connect their device to Cisco’s Umbrella. With Cisco Meraki, federal leaders can route connections wherever they need, be it Amazon or Microsoft, without the need for MPLS circuits. Rather, Cisco Meraki relies on secure internet tunnels via IPV4 and IPV6 across software-defined wide area networks (SD-WAN), bypassing the need to turn on individual firewall services and navigate a complex GUI. 

“Meraki supports both IPV4 and IPV6. If I need a co-existence — which you will need, as you can’t just flip a switch and be IPV6 overnight — Meraki can support that,” Colburn said. “Meraki is in a good position to help federal agencies meet emerging challenges and establish TIC compliance.” 

For instance, Cisco Meraki integrates with Cisco’s dedicated identity security engine (ISE). In ISE, federal technologists can build out profiles and security group tags in line with existing zero trust policies, to implement a micro segmentation strategy that will restrict lateral movement across the network. Segmentation, security and network management all happen on one unified dashboard designed to help federal agencies streamline operations. 

Compared to other enterprise network solutions, Cisco Meraki focuses on reducing the “swivel” many federal technologists may encounter in day-to-day operations. Instead of needing to jump from one platform to the next, thanks to integrations with ThousandEyes, federal technologists can map data paths across their environment and third-party vendors. With real-time, end-to-end visibility, leaders can quickly pinpoint performance chokepoints to then optimize network performance regardless of where that user may be. 

“Today's networks have to be like electricity. Always available and not complicated to utilize. That is where we're trying to get with Meraki. As a design engineer, we have to ask how can we make this easier and less costly,” Colburn said.  

Discover the power of network simplicity with Cisco Meraki and Presidio Federal.