Could Network Security Be Key to Ideal UX?

Typically, network security stays unnoticed and under the surface unless it’s directly impacting a user (e.g., host firewall or VPN issues impairing video conferences). To achieve this type of unnoticed security, industry professionals focus on building networks with security and user experience in mind from the start. Consider for a moment that network security employs several powerful capabilities, such as session visibility, application behavioral awareness, connectivity telemetry and user insights, to perform its role. The combination of these capabilities allow networks to make line rate deterministic choices on whether the traffic is good or bad. This begs the question, is there a technology better suited to augment and improve the network experience than security?

Think about it: network security technology often utilizes deep packet inspection (DPI) to do its job and deterministically offers a verdict of “good,” “bad” or “unknown.” With acceptable tolerances of false positive threats set very low, much of the threat detection process is spent investigating the details of each flow at various layers of the Open Systems Interconnection (OSI) stack (Layer two to Layer seven). So, why don’t more security vendors leverage these user experience “gems” within the flows they’re evaluating?

Why Today’s Approach Doesn’t Work

Unfortunately, the various standards and approaches available today don’t universally work. There are many bits set in the packet and header that assist in the endeavor to provide an excellent user experience, such as 802.1p, 802.1P and 802.1Q. Additionally, there are various vendor-specific approaches, all of which work well within an organization’s network to deliver varying quality of experience (QoE) levels. These are often chosen simply based on class, cost and quality endeavors.

The problem begins at the edge of an organization’s network, or the WAN on ramp, because few providers honor these bits. Without an SLA or some service construct in place to ensure performance through the provider network, there is no guarantee of experience from edge to edge within a specific provider. This issue is compounded further as many users in an organization traverse several providers to reach the application destination. It’s a testament to how the queues, load balancing and application accelerators – and varying components in between – impact service experiences. Now, introduce secure sockets layer (SSL) and the application diversity supported by a single socket or port, and the issue becomes even more challenging.

Security Could Be Key

Imagine that network security is already in line and session-, application- or user-aware, at least in the context of passing through the “deterministic verdict engine” described earlier. In this process, the security solution has either decrypted the flow or applied policy in accordance with the risk tolerance of the organization. This includes a line rate lookup of the header metadata markers coupled with reading into the payload for application, sub-application and increasingly specific user context (zero-trust network access). In turn, the security solution provides a logic check against behavior, often where data loss prevention (DLP) checks and some other advanced threat techniques reside. With this process, there are few degrees of separation between a network security solution and a holistic experience enforcement mechanism, presuming the state of the security verification is preserved and the flow is secure from one end to the other.

Don’t Own the WAN Transport

There are only a couple of secure options for organizations – a private network connection from user to service (VPN, ZTNA) or the increasingly popular secure and performant access edge, such as Microsoft Azure ExpressRoute. What is needed is a secure method to honor service experience requests at the session level without heavy overhead. While executing on a standards-based motion is a lengthy process, several bodies continue to work on these efforts. However, in the meantime, there are many promising approaches being considered and adopted that take a more direct approach to controlling each session or connection. Whether the process is to set priority at the start of the flow and ensure that it’s honored end-to-end, or to employ security technologies and identify the priority request based on various criteria (e.g., application, user, business intent, etc.) the desired outcome is the same.

Every organization wants to deliver a service experience that is exceptional for both users and customers, while effectively managing risks and mitigating threats. As an industry, we have only begun to scratch the surface of the potential benefits of tightly integrated networking and security. However, we know building products with security and user experience in mind from the start will achieve far more than trying to bolt on a solution after the fact.

Avatar photo

Mike Spanbauer

Mike Spanbauer is a Senior Director and Technology Evangelist for Juniper Networks. Mike’s work and expertise in network and security advisory, consulting, and product strategy over the last 25 years provides a breadth of perspective across network and security execution, as well as approaches to solve for operational and governance needs that organizations face. He most recently served as Vice President of Research Strategy for NSS Labs, driving the enterprise research and consulting practice for NSS’ global clients. Prior to that, Mike held leadership roles at Current Analysis and HP in research, strategy, and competitive intelligence.

mike-spanbauer has 7 posts and counting.See all posts by mike-spanbauer