Implementing SDN Programmable Infrastructure for Zero Trust (Activity 5.2.2) 

In our previous activity (Activity 5.2.1), we planned: defining the APIs and programmatic interfaces needed to make our Software-Defined Networking (SDN) or alternative network architecture controllable and automatable for Zero Trust purposes. In Zero Trust Activity 5.2.2: Implement SDN Programable Infrastructure, we move from definition to deployment and integration. 

This activity is the hands-on phase where DoD Components implement Software-Defined Networking (SDN) or alternative networking approach infrastructure based on the API standards and requirements defined in Activity 5.2.1. This activity is about operationalizing the programmable network, ensuring that the defined APIs are utilized to connect and automate the enforcement of Zero Trust policies directly within the network fabric. 

The ultimate end state is a fully functional and automated programmable network supporting Zero Trust: The SDN or alternative networking approach infrastructure is fully implemented across Components, with segmentation gateways and authentication decision points integrated and operational. Comprehensive logging and monitoring are established through SIEM and log analytics, ensuring continuous oversight and rapid response capabilities. The automation of these process enhances network security, efficiency, and compliance with ZT principles. 

Solutions for Achieving Implement SDN Programmable Infrastructure  

Implementing Activity 5.2.2 requires deploying the core programmable network infrastructure and then technically integrating the specified security and network control components using the APIs defined in Activity 5.2.1

  1. Implement application delivery control (ADC) proxy – An application delivery control proxy is a “traffic manager” that sits in front of one or more application servers. Its traditional job is to ensure applications are available, performant, and secure by directing user requests to the right server (load balancing), optimizing traffic, and sometimes providing basic security like SSL offload or a Web Application Firewall (WAF). In the context of Zero Trust Activity 5.2.2: Implement SDN Programable Infrastructure, where you’re building a programmable network and integrating security controls using APIs defined in 5.2.1, “implementing application delivery control proxy” means: 
  1. Integrating the ADC/Proxy into the Programmable Network Infrastructure: ensuring that this ADC/proxy is connected to and controllable by your SDN controller or programmable network environment using the APIs defined in Activity 5.2.1
  1. Enabling automating for Zero Trust Outcomes: By integrating the ADC/proxy into the programmable network via APIs, you enable automation of its behavior for Zero Trust purposes. For example: 
    • Dynamic Traffic Steering: Based on a user’s identity, device posture, or risk score (determined by other Zero Trust components), the programmable network can use APIs to instruct the ADC/proxy to direct that user’s traffic to a specific instance of an application, perhaps a hardened version or one with additional monitoring. 
    • Policy Enforcement: The programmable network can dynamically apply or modify security policies on the ADC/proxy via APIs, such as blocking access to certain application URLs or applying specific security checks based on real-time threat intelligence. 
    • Access Control at the Application Front Door: The ADC/proxy acts as an enforcement point, ensuring that only authorized and trusted connections (as determined by policies orchestrated by the programmable network) reach the application servers. 
  1. Integrate authentication decision points – An Authentication Decision Point (you can think of this as closely related to or part of a Policy Decision Point – PDP) is the component or system responsible for evaluating whether an entity (a user, a device, an NPE) needs to be authenticated, or if an attempted authentication is valid, based on defined policies and available context (identity attributes, device posture, location, etc.). It’s the “brain” that decides, “Does this entity need to prove who it is right now?” or “Is the proof of identity provided sufficient given the circumstances?”. This decision point often interacts closely with the Identity Provider (IdP), which performs the actual authentication process. Within Zero Trust Activity 5.2.2: Implement SDN Programable Infrastructure: 
  1. Connecting the Programmable Network to the Decision Maker: You are establishing communication channels and technical links between your SDN and the system(s) that perform the authentication decision-making. 
  1. Utilizing Defined APIs for Interaction: This integration happens using the APIs defined in Activity 5.2.1. These APIs allow the network infrastructure to programmatically interact with the authentication decision point. 
  1. Enabling Dynamic Authentication Enforcement by the Network: By integrating the authentication decision point into the programmable network via APIs, you enable the network to dynamically enforce authentication requirements based on real-time conditions and policies. 
  1. Implement segmentation gateways: Network Segmentation is the practice of dividing a network into smaller, isolated segments. A Segmentation Gateway is the device or software component that enforces the boundaries between these network segments. It controls which traffic is allowed to pass from one segment to another based on defined policies. Within Zero Trust Activity 5.2.2: Implement SDN Programable Infrastructure, “implement segmentation gateways” means: 
  1. Deploying or Configuring the Enforcement Points: You are deploying or configuring the necessary firewalls, routers, security appliances, or software agents that will act as the gateways enforcing the boundaries between your network segments. 
  1. Integrating Them into the Programmable Network Infrastructure: This is the critical Zero Trust aspect linked to programmability. You are ensuring that these segmentation gateways are connected to and controllable by your SDN controller using the APIs defined in Activity 5.2.1
  1. Enabling Automation of Segmentation Policies: By integrating the segmentation gateways into the programmable network via APIs, you enable automation of their segmentation policies and traffic control based on real-time security events and policy decisions. 

Relevant Technologies and Tools: 

Successfully implementing Activity 5.2.2 relies upon connecting several technologies. It is predominantly a complex integration/implementation task of the following key technologies: 

  • Software-Defined Networking (SDN) Controllers/Platforms: The control plane of your programmable network, which is exposing the APIs you are consuming.  These interact with the networking hardware/software to programmatically control their configurations. 
  • Segmentation Gateways: The enforcement points that control the flow of network traffic between network segments.   
  • Authentication Decision Points and the Enterprise Identity Provider: Integration with the Identity Provider System to trigger authentication processes based on a policy. The ADP may decide that authentication is needed, and the IdP performs the authentication. 
  • Application Delivery Controllers (ADCs) / Proxies: Software or devices that manage flow to applications (e.g., load balancers, firewalls) that can be integrated programmable network for dynamic control of application traffic based on policies. 
  • SIEM Tools: Destination for the logs from the programmable network for continuous monitoring, alerting, and providing data for analysis.  

For the Technical Buyer: 
 
Activity 5.2.2 is where the strategic vision of a programmable network for Zero Trust begins to materialize through concrete implementation. Building on the API definitions from Activity 5.2.1, this phase is about deploying your SDN or alternative programmable networking infrastructure and, critically, integrating key security control points – segmentation gateways, authentication decision points, and application delivery control proxies – into this programmable fabric using those defined APIs. For technical buyers, this is the stage of making the network dynamically responsive to Zero Trust policies. Success hinges on the technical feasibility and robustness of integrating these disparate components via APIs, ensuring seamless data exchange and programmatic control.  

Implementing comprehensive logging from all these integrated elements into your SIEM is equally vital for continuous monitoring and demonstrating the security posture of your programmable network. This activity is key for achieving the end state of a fully implemented and integrated programmable network that not only enhances security through automated segmentation and dynamic access control but also provides the necessary visibility for rapid response, operationalizing your Zero Trust network strategy. 

Pillar: Network and Environment 

Capability: 5.2 Software Defined Networking 

Activity: 5.2.2 Implement SDN Programmable Infrastructure 

Phase: Target Level 

Predecessor(s):  

  • 5.2.1 Define SDN APIs 
  • 6.6.2 Standardized API Calls & Schemas Part 1 

Successor(s): None 

Technology Partners