Network Security Integrations
In order to protect corporate networks and implement uniform policies across several clouds, many Google Cloud users have made significant expenditures in third-party ISV security solutions, such as appliances. Nevertheless, there are unique difficulties in incorporating these security measures into the cloud application environment:
Network re-architecture
In order to route application traffic through third-party appliances for traffic inspection, a network redesign is frequently required. This method can be error-prone, add operational overhead, and slow down application deployment time because of the high rate of change in a cloud application environment.
High cost of operation
Overprovisioning and higher expenses result from the inability to selectively route traffic to third-party equipment for examination. Regardless of the security inspection requirements of the apps, customers frequently purchase larger, more costly machines to manage all of their traffic.
Difficulty meeting compliance requirements
It can be difficult to meet security and regulatory standards for an application deployment, and clients frequently need to use proprietary tooling.
In order to tackle these issues, it is happy to announce Network Security Integrations. Without altering your network architecture or routing rules, Network Security Integrations enables you to combine third-party network appliance or service deployments with your Google Cloud workloads while preserving uniform policies across hybrid and multicloud environments. Advanced network security, application/network performance monitoring, and thorough workload traffic visibility are further made possible by network security integration. Without changing the original packets, it securely sends traffic to third-party inspection destinations via Generic Network Virtualisation Encapsulation, often known as Geneve tunnelling.
Network Security Integrations also facilitates faster application deployments and producer/consumer model compliance. This makes it possible for infrastructure operations teams to offer application development teams collector infrastructure as a service, facilitating infrastructure as a service dynamic consumption. Enforcing compliance without creating delays is made easier with support for hierarchical firewall policy management.
There are two main ways to integrate network security:
- Integration outside of the band (GA): Allows for offline analysis by mirroring desirable traffic to a different location.
- Integration within the band (Preview): Sends particular traffic to an outside security stack so that it can be examined inline.
Network Security Integrations out-of-band
Network Security Integrations transparently mirrors packets going to and from the workload to a destination collection group while operating out-of-band. Geneve contributes to safe transmission to the final location.
Use cases that benefit from Network Security Integrations running out-of-band include the following:
Implementing advanced network security
Utilise sophisticated offline analysis to find known attacks using preset signature patterns and anomaly-based detection to find previously unidentified assaults. Vulnerable workload traffic is duplicated for further examination with granular filtering capabilities.
Improve application availability and performance
Instead of depending just on application logs, diagnose and examine what’s happening over the wire. Network traffic analysis tools use analytics and machine learning to examine mirrored packet data, establishing the network’s typical behaviour before looking for anomalies that could point to possible performance or availability problems.
Support regulatory and compliance requirements
To satisfy strict standards for audits and forensic investigations, the finance industry and other regulated sectors must record and preserve particular kinds of network traffic for a set amount of time.
Network Security Integrations in-band
Traffic entering or leaving a workload can be intercepted and routed to a security stack via in-band integration, where it is examined for security policy compliance and potential risks. You can examine traffic between the VPC or even between other application components within the same VPC with the bump-in-the-wire implementation of in-band interception. This allows you to implement genuine Zero Trust security in your environment by reducing your security domain to the size of a workload.
For the following situations, decide to implement Network Security Integrations in-band:
- Natively connect to third-party firewalls and Cloud Next Generation Firewalls (NGFW): Deploying Google Cloud NGFW and third-party security solutions is made easier with Network Security Integrations. It enables you to use Cloud NGFW’s distributed firewall features for optimal inspection and to deploy third-party security services for traffic that needs extra security controls.
- Add the network security solution of your choice to brownfield application environments: Without changing your present routing setup, Network Security Integrations in-band is a sophisticated way to include third-party security appliances straight into your current network infrastructure. You can add more security and protection layers to your application traffic by putting it in-band, which will help to provide thorough defence against possible network threats.
An integrated security ecosystem
At Google Cloud are dedicated to providing clients’ network traffic and workloads with improved visibility and the highest level of security. You may keep using existing third-party security solutions in your cloud environment with Network Security Integrations, which offers reduced costs, tighter integration, higher compliance, and no modifications to routing setup.
