1 / 21

Time for Networking 3.0

Time for Networking 3.0. Identity Defined Networking Secure Networking Made Simple. Rob Goss Regional Sales Director. COMPLEXITY. Networking & Security. Complex, Costly, Fragile, & Porous. L3 ROUTER FIREWALL RULES. interface gigabitethernet 0/3 nameif dmz    security-level 50

bernad
Télécharger la présentation

Time for Networking 3.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Time for Networking 3.0 Identity Defined Networking Secure Networking Made Simple Rob Goss Regional Sales Director

  2. COMPLEXITY

  3. Networking & Security Complex, Costly, Fragile, & Porous L3 ROUTER FIREWALL RULES interface gigabitethernet 0/3 nameifdmz    security-level 50 ip address 192.168.2.1 255.255.255.0    no shutdown same-security-traffic permit inter-interface route outside 0 0 209.165.201.1 1 nat (dept1) 1 10.1.1.0 255.255.255.0 nat (dept2) 1 10.1.2.0 255.255.255.0 router rip    network 10.0.0.0    default information originate    version 2 ssh 209.165.200.225 255.255.255.255 outside logging trap 5 FW, RULES VLANs NAT ACLs L3 VLAN RULES NAT Router>enable Router>#configure terminal Router(config)#hostname CORP ISP(config)#interface serial 0/0/0 CORP(config-if)#description link to ISP CORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdown CORP(config)#interface fastethernet 0/1 CORP(config-if)#description link to 3560 Switch CORP(config-if)#ip address 172.31.1.5 255.255.255.252 CORP(config-if)#no shutdown ACLs L3 VPN RULES VPNs VLANs L3 ACLs RULES device(config)# ip access-list standard Net1 device(config-std-nacl-Net1)# deny host 10.157.22.26 device(config-std-nacl-Net1)# deny 10.157.29.12 device(config-std-nacl-Net1)# deny host IPHost1 device(config-std-nacl-Net1)# permit any device(config-std-nacl-Net1)# exit device(config)# int eth 1/1 device(config-if-e10000-1/1)# ip access-group Net1 in FW, RULES

  4. u n n (c x r ) x p = y* The Root Cause: IP Addresses Used as Identity Complex firewall & networking rule sets DNS & routing updates for failover Continuous Change … per networked “thing” VPN access controls for each network Routing policies, VLANs & ACLS overhead (clients x resources) x (net & sec policy x updates) = complexity *Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE | IEEE Transactions on Software Engineering, 2010

  5. Oil and Gas – A global Enterprise Secure connectivity and global IP mobility for previously non-routable resources Dev Ops / Support • Internet / WAN Connect the un-connectable.

  6. Facility Automation Services Environment • 200 sites local • 300 additional throughout commonwealth • Legacy Flat Layer 2 network • New Routed Layer 3 network • 600 + switches/routers Team • 2 Network Admins and 2 System Admins • 4 Technical Services – Installers Responsibilities • Design, deploy, and manage all Facility Services • Ensure the high availability, integrity, and confidentiality of all systems • 99.999% uptime is critical • Resolve issues in minutes rather than hours

  7. HIP

  8. Host Identity Protocol (HIP) RFC 4423, 5201, 7401 Solving a fundamental flaw of TCP/IP networking • Proposed in 1999 by Bob Moskovitz at the IETF • Addresses the fundamental flaw in IP communications • Enables provable identity for every networked thing • Funded and developed by Military, Aerospace, and Telecommunications • In production beginning in 2006 • Ratified by IETF in April, 2015 HIP will revolutionize networking and security as we know it

  9. The End of IP Address-Defined Networking Moving towards a trusted Identity-Defined Networking Architecture

  10. Security is Now Native to Networking Verifiable Device Identity Creates a Simpler, More Mobile, and Effective Perimeter

  11. Secure Networking Made Simple Identity-Defined Networking:  Orchestration and Enforcement

  12. A Unified, Resilient Network without Constraints Instantly connect, protect, and revoke anything, anywhere, anytime

  13. Oil and Gas – A global Enterprise Secure connectivity and global IP mobility for previously non-routable resources Dev Ops / Support • Internet / WAN HIPrelay Connect the un-connectable.

  14. Facility Automation Services Environment • 200 sites local • 300 additional throughout commonwealth • Legacy Flat Layer 2 network • New Routed Layer 3 network • 600 + switches/routers Team • 2 Network Admins and 2 System Admins • 4 Technical Services – Installers Responsibilities • Design, deploy, and manage all Facility Services • Ensure the high availability, integrity, and confidentiality of all systems • 99.999% uptime is critical • Resolve issues in minutes rather than hours

  15. Designing, Deploying, & Managing in Chaos Problems • Centralize and secure plant services across 640+ buildings, statewide • Support old (20+ years) systems • Every Building is Unique • Maintaining old network while building out new infrastructure • Telecomm rooms w/ physical security – card & key access with limited oversight • 1 – 9 Telecomm rooms per bldg. • 700 – 3500 CU Data Jacks per bldg. BACnet Traffic Utilization & Storms – Performance & Outage Impacts • Unconfigured Tools or Flawed Procedures • Blank “Who IS” BACnet broadcast to 3,000+ GW routers • Improperly Configured Software • Default .001 change in value (CoV) for a Temperature point

  16. Objective: network, segment, and protect Building Automation Systems for 500 sites across flat L2 network HEADCOUNT Assuming on average 1 net new Sec/Net Admin per 35-60 Firewalls deployed EQUIPMENT COST Of deploying one traditional address-based products per building TIME Estimated time to deploy: 5 days per building for one Full Time Employee (5 x 500 buildings) ~8 Additional Sec/Net Admins ~$2 Million+ 2500 FTE Days Traditional IP-based Solutions Traditional IP-based Solutions TraditionalIP-based Solutions *Traditional address-based solutions includes Firewalls / VPNs / Switching, Routing, Wireless, and Cellular Modems

  17. Solution – Connecting and Protecting BAS / BACnet with IDN Corporate Network Building 2 Control Servers The Conductor HVAC Fire Suppression Building 1 Building 3 BACnet/IP Router HVAC HVAC Fire Suppression Lighting Building Access System

  18. BYON for a Large University Customer: Facilities & Operations Objective: network, segment, and protect Building Automation Systems for 500 sites across flat L2 network HEADCOUNT Assuming on average 1 net new Sec/Net Admin per 35-60 Firewalls deployed EQUIPMENT COST Of deploying one traditional address-based products per building TIME Estimated time to deploy: 5 days per building for one Full Time Employee (5 x 500 buildings) ~8 Additional Sec/Net Admins ~$2 Million+ 2500 FTE Days $500,000 75 FTE Days No Additional Admins Traditional IP-based Solutions Tempered Networks Traditional IP-based Solutions TemperedNetworks TraditionalIP-based Solutions Tempered Networks *Traditional address-based solutions includes Firewalls / VPNs / Switching, Routing, Wireless, and Cellular Modems

  19. IDN Capabilities A unified, resilient, and secure network without constraints

  20. Learn More About HIP Come by Tempered Network’s booth to see Identity-Defined Networking in action Books • Host Identity Protocol (HIP): Towards the Secure Mobile Internet. Andrei Gurtov, Wiley & Sons, 2008 • Beyond HIP: The End to Hacking as We Know It. Richard Paine, Amazon, 2009 Papers • Secure Communication Channel Architecture for Software Defined Mobile Networks. Liyange et al., Elsevier, 2017 • The Answer to Next-Generation Security Threats. Tempered Networks, IDG, 2016 • Identity-Defined Networking: Next-Generation Architecture. Giesa, Erik, Tempered Networks, 2016 RFCs • RFC 4423 Host Identity Protocol Architecture. Nikander and Moskovitz, IETF, 2006 • RFC 5201 Host Identity Protocol. Moskovitz et al, IETF 2008 • RFC 7401 Host Identity Protocol version 2. IETF, Moskovitz et al, Ericsson Research, University of Washington, 2015 • Other related RFCs: 6092, 7042, 8002, 8003, 8004, 8005

  21. Thank You!

More Related