(upbeat music) >> We're back with a Blueprint for Trusted Infrastructure in partnership with Dell Technologies and theCUBE. And we're here with Mahesh Nagarathnam who is a consultant in the area of networking product management at Dell technologies. Mahesh, welcome, good to see you. >> Hey, good morning, Dave. It's nice to meet you as well. >> Hey, so we've been digging into all the parts of the infrastructure stack, and now we're going to look at the all important networking components. Mahesh, when we think about networking in today's environment, we think about the core data center and we're connecting out to various locations including the cloud and both the near and the far edge. So the question is from Dell's perspective what's unique and challenging about securing network infrastructure that we should know about? >> Yeah, so a few years ago, IT security in an enterprise was primarily putting a wrapper around the data center because IT was constrained to an infrastructure owned and operated by the enterprise for the most part. So putting a wrapper around it like a perimeter or a firewall was a sufficient response because you could basically control the enormous data into small enough control. Today, with the distributed data intelligent software different systems, multi-cloud environment and asset service delivery. The infrastructure for the modern era changes the way to secure the network infrastructure. In today's data driven world, IT operates everywhere and data is created and accessed everywhere. So far from the centralized mono data centers of the past. The biggest challenge is how do we build the network infrastructure of the modern era that are intelligent, with automation, enabling maximum flexibility and business agility without any compromise on the security. We believe that in this data era, the security transformation must accompany digital transformation. >> Yeah, that's very good. You talked about a couple of things there. Data by its very nature is distributed, there is no perimeter anymore. So you can't just, as you say, put a wrapper around it, I like the way you phrase that. So when you think about cyber security resilience from a networking perspective, how do you define that? In other words, what are the basic principles that you adhere to when thinking about securing network infrastructure for your customers? >> So our belief is that cybersecurity and cybersecurity resilience, they need to be holistic. They need to be integrated, scalable, one that spans the enterprise and with a consistent and objective and policy implementation. So cybersecurity needs to span across all the devices and running across any application whether the application resets on the cloud or anywhere else in the infrastructure. From a networking standpoint, what does it mean? It's again, the same principles. In order to prevent the threat actors from accessing, changing, destroying or stealing sensitive data, this definition holds good for networking as well. So if you look at it from a networking perspective it's the ability to protect from and withstand attacks on the networking systems. As we continue to evolve, this will also include the ability to adapt and recover from these attacks which is what cyber resilience aspect is all about. So cybersecurity, best practices as you know is continuously changing the landscape primarily because the cyber threats also continue to evolve. >> Yeah, got it. I like that. So, it's got to be integrated. It's got to be scalable. It's got to be comprehensive and adaptable. You're saying it can't be static. >> Right. So I think, you had a second part of the question that says, what are the basic principles when you're thinking about securing network infrastructure. When you are looking at securing the network infrastructure it revolves around core security capability of the devices that form the network. And what are these security capabilities? These are access control, software integrity and vulnerability response. When you look at access control it's to ensure that only the authenticated users are able to access the platform and they're able to access only the kind of the assets that they're authorized to, based on their user level. Now accessing a network platform like a switch or a router, for example, is typically used for configuration and management of the networking switch. So user access is based on roles for that matter role based access control, whether you are security admin or a network admin or a storage admin. And it's imperative that logging is enabled because any of the change to the configuration is actually logged and monitored as well. When we're talking about software's integrity, it's the ability to ensure that the software that's running on the system has not been compromised. And this is important because it could actually get hold of the system and you could get undesired results. In terms of validation of the images, it needs to be done through digital signature. So it's important that when you're talking about software integrity, A, you are ensuring that the platform is not compromised and B, that any upgrades that happens to the platform is happening through validated signature. >> Okay. And now you've, so there's access control, software integrity and I think you got a third element, which is, I think response, but please continue. >> Yeah. So, the third one about vulnerability. So we follow the same process that's been followed by the rest of the products within the Dell Product family that's to report or identify any kind of vulnerability that's being addressed by the Dell Product Security Incident Response Team. So the networking portfolio is no different. It follows the same process for identification for triage and for resolution of these vulnerabilities. And this address either through patches or through new resource via networking software. >> Yeah, got it. I mean, you didn't say zero trust but when you were talking about access control you're really talking about access to only those assets that people are authorized to access. I know zero trust sometimes is a buzzword, but you, I think gave it some clarity there. Software integrity, it's about assurance, validation, your digital signature, you mentioned, and that there's been no compromise. And then how you respond to incidents in a standard way that can fit into a security framework. So outstanding description. Thank you for that. But then the next question is how does Dell Networking fit into the construct of what we've been talking about, Dell Trusted Infrastructure? >> So networking is the key element in the Dell Trusted Infrastructure. It provides the interconnect between the server and the storage world and it's part of any data center configuration. For a trusted infrastructure, the network needs to have access control in place where only the authorized personals are able to make change to the network configuration and logging of any of those changes is also done through the logging capabilities. Additionally, we should also ensure that the configuration should provide network isolation between the management network and the data traffic network because they need to be separate and distinct from each other. And furthermore, even if you look at the data traffic network, you have things like segmentation, isolated segments and via VRFs or micro-segmentation via partners. This allows various level of security for each of those segments. So it's important that the network infrastructure has the ability to provide all these services. From a Dell networking security perspective, there are multiple layers of defense, both at the edge and in the network, in the hardware and in the software. And essentially, a set of rules and a configuration that's designed to sort of protect the integrity, confidentiality and accessibility of the network assets. So each network security layer, it implements policies and controls, as I said, including network segmentation, we do have capabilities, resources, centralized management, automation, and capability and scalability for that matter. Now you add all of these things with the open networking standards or software different principles, and you essentially reach to the point where you're looking at zero trust network access which is essentially sort of a building block for increased cloud adoption. If you look at the different pillars of a zero touch architecture, if you look at the device aspect, we do have support for secure boot, for example, we do have trusted platform, trusted platform models, TPMs on certain offer products. And the physical security, plain simple old WLAN port enable disable. From a user trust perspective, we know it's all done via access control base via role based access control and capability in order to provide remote authentication or things like sticky MAC or MAC learning limit and so on. If you look at a transport and a session trust layer, these are essentially, how do you access this switch. Is it by plain old Telnet, or is it like secure SSH. And when a host communicates to the switch, we do have things like self-signed or a certificate authority based certification. And one of the important aspect is, in terms of the routing protocol the routing protocol, for example, BGP, for example, we do have the capability to support MD5 authentication between the BGP peers so that there is no malicious attack to the network where the routing table is compromised. And the other aspect is about control plain ESL. It's typical that if you don't have a control plane Azure, it could be flooded and the switch could be compromised by denial of service attacks. From an application test perspective, as I mentioned, we do have the application specific security rules where you could actually define the specific security rules based on the specific applications that are running within the system. And I did talk about the digital signature and the cryptographic checks and that we do for authentication and, I mean rather for the authenticity and the validation of the image and the boundary and so on and so forth. Finally the data trust, we are looking at the network separation. The network separation could happen over VRF, plain old VLANs which can bring about multitenancy aspects. We talk about micro-segmentation as it applies to NSX, for example. The other aspect is we do have with our own smart fabric services, that's enabled in a fabric, we have a concept of cluster security. So all of this, the different pillars, they sort of make up for the zero trust infrastructure for the networking assets of an infrastructure. >> Yeah, so thank you for that. There's a lot to unpack there. One of the premise, the premise really this segment that we're setting up in this series, is really that everything you just mentioned, or a lot of things you just mentioned used to be the responsibility of the security team and the premise that we're putting forth is that because security teams are so stretched thin, you got to shift a vendor community, Dell specifically is shifting a lot of those tasks to their own R&D and taking care of a lot of that. 'cause SecOps teams got a lot of other stuff to worry about. So my question relates to things like automation which can help and scalability. What about those topics as it relates to networking infrastructure? >> Our portfolio, it enables state of the automation software that enables simplifying of the design. So for example, we do have the fabric design center, a tool that automates the design of the entire fabric and from a deployment and the management of the network infrastructure, there are simplicities using like Ansible playbooks for SONiC, for example. Or for a better storage, we do have smart fabric services that can automate the entire fabric for a storage solution or for one of the workloads, for example. Now we do help reduce the complexity by closely integrating the management of the physical and the virtual networking infrastructure. And again, we have those capabilities using SONiC or smart traffic services. If you look at SONiC for example, it delivers automated intent based secure containerized network. And it has the ability to provide network visibility and awareness and of these things are actually valid for a modern networking infrastructure. So now if you look at SONiC, the usage of those tools that are available within the SONiC NAS is not restricted just to the data center infrastructure, it's a unified NAS that's well applicable beyond the data center, right up to the edge. Now, if you look at our NAS from a smart traffic OS10 perspective, as I mentioned, we do have smart traffic services, which essentially simplifies the deployment, day one day two deployment expansion plans and the life cycle management of our converged infrastructure and hyperconverged infrastructure solutions. And finally, in order to enable zero touch deployment, we do have a VEP solution with our SD-WAN capability. So these are in a ways by which we bring down the complexity by enhancing the automation capability using a singular NAS that can expand from a data center now, right to the edge. >> Great, thank you for that. Last question real quick. Pitch me, can you summarize from your point of view what's the strength of the Dell networking portfolio? >> So from a Dell networking portfolio we support the capabilities at multiple layers, as I mentioned. We've talking about the physical security, for example, let's say disabling of the unused interface, sticky MAC and trusted platform modules are the things that to go after. And when you're talking about secure boot, for example, it delivers the authenticity and the integrity of the OS10 images at the startup. And secure boot also protects the startup configuration so that the startup configuration file is not compromised. And secure boot also enables the bootloader protection, for example. That is at another aspect of software image, integrity validation, wherein the image is validated for the digital signature prior to any upgrade process. And if you are looking at secure access control we do have things like role-based access control, SSH to the switches, control plane, access control, that pre-onset attacks and access control through multifactor authentication. We do have Radius Tech ads for entry control to the network and things like CSE and PRV support from a federal perspective. We do have logging wherein any event, any auditing capabilities can be possible by looking at the syslog servers which are pretty much in our transmitter from the devices ORTS, for example. And last we talked about network separation. And this separation ensures that that is a contained segment for a specific purpose or for the specific zone. And this can be implemented by a micro-segmentation, just a plain old WLAN or using virtual route of framework VRF, for example. >> A lot there. I mean, I think frankly, my takeaway is you guys do the heavy lifting in a very complicated topic. So thank you so much for coming on theCUBE and explaining that in quite some depth. Really appreciate it. >> Thank you, Dave. >> Oh, you're very welcome. Okay in a moment, I'll be back to dig into the hyperconverged infrastructure part of the portfolio, and look at how, when you enter the world of software defined where you're controlling servers and storage and networks via software led system, you could be sure that your infrastructure is trusted and secure. You're watching a Blueprint for Trusted Infrastructure made possible by Dell technologies and collaboration with theCUBE, your leader in enterprise and emerging tech coverage. (soft upbeat music)