 We're back with a blueprint for trusted infrastructure in partnership with Dell Technologies and theCUBE. And we're here with Mahesh Nagarantnam, who is a consultant in the area of networking product management at Dell Technologies. Mahesh, welcome, good to see you. Hey, good morning, Devils. Nice to meet you. Good to see you as well. Hey, so we've been digging into all the parts of the infrastructure stack, and now we're going to look at the all-important networking components. Mahesh, when we think about networking in today's environment, we think about the core data center, and we're connecting out to various locations, including the cloud and both the near and the far edge. So the question is from Dell's perspective, what's unique and challenging about securing network infrastructure that we should know about? Yeah, so a few years ago, IT security in an enterprise was primarily putting a wrapper around the data center because IT was constrained to an infrastructure owned and operated by the enterprise for the most part. So putting a wrapper around it, like a perimeter or a firewall was a sufficient response because you could basically control the environment and it was small enough to control it. Today, with the distributed data, intelligent software different systems, multi-cloud environment and as a service delivery, the infrastructure for the modern era changes the way to secure the network infrastructure. In today's data-driven world, IT operates everywhere, and that has created and accessed everywhere. So far from the centralized monolithic data centers of the past. The biggest challenge is, how do we build the network infrastructure of the modern era that are intelligent with automation, enabling maximum flexibility and business agility without any compromise on the security? We believe that in this data era, the security transformation must accompany digital transformation. Yeah, that's very good. You talked about a couple of things there, data by its very nature is distributed. There is no perimeter anymore. So you can't just, as you say, put a wrapper around it, like the way you phrase that. So when you think about cybersecurity resilience from a networking perspective, how do you define that? In other words, what are the basic principles that you adhere to when thinking about securing network infrastructure for your customers? So our belief is that cyber security and cybersecurity resilience, they need to be holistic, they need to be integrated, scalable. One that spans the entire enterprise and with a consistent and objective and say policy implementation. So cybersecurity needs to span across all the devices and running across any application, whether the application resides on the cloud or anywhere else in the infrastructure. From a networking standpoint, what does it mean? It's again the same principles, right? You know, in order to prevent the threat actors from accessing, changing, destroying or stealing sensitive data, this definition holds good for networking as well. So if you look at it from a networking perspective, it's the ability to protect from and withstand attacks on the networking systems. As we continue to evolve, this will also include the ability to adapt and recover from these attacks, which is what cyber resilience aspect is all about. So cybersecurity best practices, as you know, is continuously changing the landscape, primarily because the cyber threats also continue to evolve. Yeah, got it. So I like that. So it's got to be integrated. It's got to be scalable. It's got to be comprehensive and adaptable. You're saying it can't be static. Right, right. So I think, you know, you had a second part of a question, you know, that says, what are the basic principles, you know, when you think about securing network infrastructure? When you're looking at securing the network infrastructure, it revolves around core security capability of the devices that form the network. And what are these security capabilities? These are access control, software integrity and vulnerability response. When you look at access control, it's to ensure that only the authenticated users are able to access the platform and they're able to access only the kind of the assets that they're authorized to based on their user level. Now, accessing a network platform like a switch or a router, for example, is typically used for, say, configuration and management of the networking switch. So user access is based on, say, roles for that matter, you know, role-based access control, whether you're a security admin or a network admin or a storage admin. And it's imperative that logging is enabled because any of the change to the configuration is actually logged and monitored as well. When you're talking about software integrity, it's the ability to ensure that the software that's running on the system has not been compromised. And, you know, this is important because it could actually, you know, get hold of the system and, you know, you could get undesired results. In terms of, say, validation of the images, it needs to be run through, say, digital signature. So it's important that when you're talking about, say, software integrity, A, you're ensuring that the platform is not compromised, you know, it's not compromised, and B, that any upgrades, you know, that happens to the platform is happening through, say, validated signature. Okay, and now you've, so there's access control, software integrity, and I think you've got a third element which is, I think, response, but please continue. Yeah, so, you know, the third one is about, say, vulnerability. So we follow the same process that's been followed by the rest of the products in the Dell product family. That's to report or identify, you know, any kind of vulnerability that's being uttered by the Dell product security incident response team. So the networking portfolio is no different. You know, it follows the same process for identification, for triage, and for resolution of these vulnerabilities. And these are addressed either through patches or through new resources via networking software. Yeah, got it. Okay, so I mean, you didn't say zero trust, but when you were talking about access control, you're really talking about access to only those assets that people are authorized to access. I know zero trust sometimes is a buzzword, but you, I think, gave it some clarity there. Software integrity, it's about assurance, validation, your digital signature you mentioned, and that there's been no compromise, and then how you respond to incidents in a standard way that can fit into a security framework. So outstanding description, thank you for that. But then the next question is, how does Dell networking fit into the construct of what we've been talking about, Dell trusted infrastructure? It is a key element in the Dell trusted infrastructure. It provides the interconnect between the service and the storage world, and it's part of any data center configuration. For a trusted infrastructure, the network needs to have access control in place where only the authorized persons are able to make change to the network configuration, and logging of any of those changes is also done through the logging capabilities. Additionally, we should also ensure that the configuration should provide network isolation between say the management network and the data traffic network because they need to be separate and distinct from each other. And furthermore, even if you look at the data traffic network, you have things like say segmentation, isolated segments via VRS or micro segmentation via partners. This allows various level of security for each of those segments. So it's important that the network infrastructure has the ability to provide all these services. From a Dell networking security perspective, there are multiple layers of defense, both at the edge and in the network, in the hardware and in the software, and it's essentially a set of the rules and the configuration that's designed to sort of protect the integrity, confidentiality and accessibility of the network assets. So each network security layer, it implements policies and controls, as I said, including some network segmentation. We do have capabilities also centralized management, automation and scalability for that matter. Now, you add all of these things with the open networking standards or a software defense principles and you essentially reach to the point where you're looking at zero trust network access, which is essentially sort of a building block for increased cloud adoption. If you look at, say that, the different pillars of a zero trust architecture, if you look at the device aspect, we do have support for a security boot, for example, we do have a trusted platform, in a trusted platform, models, TPMs on certain offer products and the physical security, plain simple old one-in-law port-enabled disciple. From a user trust perspective, it's all done via access control-based, via role-based access control and capability in order to provide remote authentication or things like, say, sticky Mac or Mac learning limit and so on. If you look at, say, a transport and a session trust layer, these are essentially how do you access this switch? Is it by plain old telnet? Or is it like secure SSH? And when a host communicates to the switch, we do have things like self-signed or a certificate authority-based certification. And one of the important aspect is, in terms of the routing protocol, the routing protocol, say, for example, BGP, for example, we do have the capability to support MD-5 authentication between the BGP peers so that there is no malicious attack to the network where the routing table is compromised. And the other aspect is about, say, control-plane ACR. It's typical that if you don't have a control-plane ACR, it could be flooded and the switch could be compromised by city and service attacks. From an application trust perspective, as I mentioned, we do have the application-specific security rules where it could actually define the specific security rules based on the specific applications that are running within the system. And I did talk about, say, the digital signature and the cryptographic checks that we do for authentication and rather for the authenticity and the validation of the image and the binaries and so on and so forth. Finally, the data trust, we are looking at the network separation. The network separation could happen over VRF, plain old VLANs, which can bring about, say, multi-tenancy aspects. We do talk about semi-croscumentation as it applies to NSX, for example. The other aspect is we do have, with our own smart fabric services that's enabled in a fabric, we have a concept of, say, cluster security. So all of this, the different pillars, they sort of make up for the zero trust infrastructure for the networking assets of an infrastructure. So thank you for that, there's a lot to unpack there. You know, one of the premise, the premise really of this segment that we're setting up in this series is really that everything you just mentioned or a lot of things you just mentioned used to be the responsibility of the security team and the premise that we're putting forth is that because security teams are so stretched thin, you got to shift the vendor community, Dell specifically is shifting a lot of those tasks to their own R&D and taking care of a lot of that. So, because SecOps team's got a lot of other stuff to worry about. So my question relates to things like automation, which can help in scalability. What about those topics as it relates to networking infrastructure? Okay, it enables state-of-the-art automation software that enables simplifying of the design. So for example, we do have fabric design center, a tool that automates the design of the entire fabric and from a deployment and the management of the network infrastructure that are simplicity using like Ansible playbooks for Sonic, for example, or for a better Citadel and Dell story, we do have smart fabric services that can automate the entire fabric for a storage solution or for one of the workloads, for example. Now, we do help reduce the complexity by closely integrating the management of the physical and the virtual networking infrastructure. And again, we have those capabilities using Sonic or smart fabric services. If you look at Sonic, for example, it delivers automated, intent-based, secure, containerized network, and it has the ability to provide some network visibility and awareness and all of these things are actually valid for a modern networking infrastructure. So now, if you look at Sonic, it's the usage of those tools that are available within the Sonic NAS is not restricted just to the data center infrastructure. It's a unified NAS that's well applicable beyond the data center, right up to the edge. Now, if you look at our NAS from a smart fabric OS X perspective, as I mentioned, we do have smart fabric services which essentially simplifies the deployment day zero, I mean, rather day one, day two deployment expansion plans and the lifecycle management of our conversion infrastructure and hyperconversion infrastructure solutions. And finally, in order to enable, say zero-touch deployment, we do have our VEB solution with our SD-WAN capability. So these are ways by which we bring down the complexity by enhancing the automation capability using a singular NAS that can expand from a data center now right to the edge. Great, thank you for that. Last question, real quick, pitch me. Can you summarize from your point of view, what's the strength of the Dell networking portfolio? Okay, so from a Dell networking portfolio, we support capabilities at multiple layers. As I mentioned, we've talked about the physical security, for example, it's a disabling of the unused interface, sticky Mac and trust of platform modules, other things that to go after. And when we're talking about, say, secure boot, for example, it delivers the authenticity and the integrity of the OS X images at the startup. And secure boot also protects the startup configuration so that the startup configuration file is not compromised. And secure boot also enables the boot loader protection, for example, that is yet another aspect of software image integrity validation, wherein the image is validated for the digital signature prior to any upgrade process. And if you're looking at secure access control, we do have things like role-based access control, SSH to the switches, control plane access control, that pre-emptive DOS attacks, and say access control through multi-factor authentication. We do have radius and tech acts for entry control to the network and things like CAC and PIV support from a federal perspective. We do have login wherein any event, any auditing capabilities can be possible by say looking at the Syslog servers, which are pretty much now transmitted from the devices over TLS, for example. And last we talked about, say network separation and this separation ensures that there is a contained segment for a specific purpose or for the specific zone. And this can be implemented by a micro segmentation, just a plain old vanilla wheel answer using virtual route of framework. We are responsible. A lot there, I mean, I think frankly, my takeaway is you guys do the heavy lifting in a very complicated topic. So thank you so much for coming on theCUBE and explaining that in quite some depth. Really appreciate it. Thank you, Dave. You're very welcome. Okay, in a moment I'll be back to dig into the hyper-converged infrastructure part of the portfolio and look at how when you enter the world of software defined where you're controlling servers and storage and networks via a software-led system, you can be sure that your infrastructure is trusted and secure. You're watching a blueprint for trusted infrastructure made possible by Dell Technologies in collaboration with theCUBE, your leader in enterprise and emerging tech coverage.