1 / 61

Robust, scalable services for small and medium businesses

Robust, scalable services for small and medium businesses. Jari.Salokannel@nortel.com Spring 2006. Agenda. Technology update New redundant and resilient switches for SMB Security is not a product!. Technology Mega Trends. MOORE’S LAW. NOMADIC WIRELESS BANDWIDTH. 1000. 1Gbps. 4G.

kendra
Télécharger la présentation

Robust, scalable services for small and medium businesses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust, scalable services for small and medium businesses Jari.Salokannel@nortel.com Spring 2006

  2. Agenda • Technology update • New redundant and resilient switches for SMB • Security is not a product!

  3. Technology Mega Trends MOORE’S LAW NOMADIC WIRELESS BANDWIDTH 1000 1Gbps 4G OutsideCampus Moore’s Law Silicon power doubles every 18 months(500,000 x in 30 years) WMN andWiMax 100 100Mbps 2.5G 3G Processor Power Delivered Ethernet Performance Gigabit Desktop Dramatic increasein bandwidth from1–1000 Mbps in 15 years 10 10Mbps DECT 802.11a/g WithinCampus 802.11b Bluetooth 802.11n Mbps 1 1Mbps 1980 1990 2000 2010 Mobility 0.1 1 10 100 EDHOLM’S LAW OF BANDWIDTH METCALFE’S LAW 2.94 Mb/sEthernet 1 Gb/s Ethernet 100 Mb/sEthernet Billion NetworkedEverything 802 .11g 10 Mb/sEthernet Bits per second WIRELINE 802.11g MIMO Million NOMADIC UMTS Value 9600>b/s modem 110-b/s Hayesmodem Ricochetradio modem WIRELESS 56 Kb/s modem Thousand 56 Kb/s modem Wide-area paging 28.8 Kb/s modem First alphanumeric pager 1976 1984 1992 2000 2008 # of Networked End Points

  4. Operations, Administration, and Maintenance Nortel’s Next-Generation Network Reference Architecture Applications Aggregation/ Distribution 3rd-Party Apps CPE Access Services Edge Voice Media IVR Services Wireless Content Switching Call Center Interactive Multimedia Policy Security Mobility QoS Optical LAN IP VPN SubscriberControl Packet-Optical Security

  5. Nortel delivers end-to-end Convergenced Solutions • Partners ecosystem • Network infrastructure convergence • Application convergence OSS/BSS Service Creation Applications Control Partner ecosystem Transport Access Terminals

  6. New redundant and resilient switches for SMB

  7. What is a Switch Cluster ? • A switch cluster is a logical switch entity built using two or more physical switches

  8. What is a Switch Cluster ? • A switch cluster is a logical switch entity built using two or more physical switches FAST, SIMPLE, RESILIENT

  9. Optimising Resilience n - 1 n + 1 Normal Operation Failure Operation • Distributed Use • Size to Need • Reduce Capacity in Failure • Use Business Rules to allocate resources • Hot Standby • Size to constant capacity • Cost = 1/Avail x Price • Transition Timing

  10. Can’t we already do that with Spanning tree? • Spanning Tree blocks links • 100% extra for 1% of the time Why have a 100% insurance premium ?

  11. Can’t we already do that with Spanning tree? • Spanning Tree blocks links • 100% extra for 1% of the time • Sure, with PVST/MSTP you can get bandwidth back • ‘n’ times the complexity • Manual load distribution Increased Complexity = Increased Opex

  12. What about my telephony ? Can’t we already do that with Spanning tree? • Spanning Tree blocks links • 100% extra for 1% of the time • Sure, with PVST/MSTP you can get bandwidth back • ‘n’ times the complexity • Manual load distribution • You still have to wait for reconvergence

  13. Spanning Tree Up to 50% capacity loss Blocks Links Complex to manage Requires overlay configuration for VLANS Slow recovery 2 - 40sec reconvergence Switch Clustering Optimal performance All links active, All of the time Simple, singular management No overlay as multiple devices function as a single unit Voice-grade Resilience Redistribution only But there’s more to Switch Clustering… Can’t we already do that with Spanning tree?

  14. How do I build a Switch Cluster • Two ERS8600 devices (*) • Soon ERS1600 & ERS5500 Series • Available ports to build the Inter-Switch-Trunk (IST) • Responsible for forwarding/control synchronisation • Must be the same speed: 10M to 10G • Any Device or Host that supports: • “Single MAC trunking” • 802.3ad Tolly-Labs verified as compatible with other vendor equipment

  15. How do I build a Switch Cluster- Design Variants Standard Square Mesh • MAN/WAN implementations > Small-Medium implementations • Large LAN implementations

  16. Integrating Services • Creates a platform for high touch services within the Switch Cluster • Expands the design scope for clusters Fast, Simple, Resilient.. Services

  17. How do I build a Switch Cluster- Design Variants Standard Square Mesh • MAN/WAN implementations > Small-Medium implementations • Large LAN implementations And the Services can be anywhere, or everywhere

  18. Simple Resilient LAN for SMB with Nortel ERS5530 Ethernet Routing Switch 5510/5520/5530 stack Ethernet Switch 425-48T and/or -24T stack 10/100/1000 access 10/100 access ERS 5530 ERS 5530 IST

  19. WLAN 2300 Enterprise Network Management • Configuration/Monitoring • Policy Services • Security Mgmt Resilient Data Center Wireless Mesh SMLT SMLT ERS 55xx ES 470/460 ERS 8300 Core Switching WLAN Security Switch Telephony Mgr Application Gateway Wireless Mesh Gateway Application Switch ERS 8600 Switched Firewall ERS 55xx Wireless Gateways / Switches ERS 8600 MLT SMLT Servers Servers Edge Switching 802.11 Access Converged architecture for enterprises

  20. Internet Secure DMZ Intelligent Traffic Mgmt WLAN 2300 Intrusion Sensor Intrusion Sensor Switched Firewall VPN Gateway Resilient Data Center Wireless Mesh Servers SMLT SMLT ERS 55xx ES 470/460 ERS 8300 Defense Center Real Time Threat Intel WLAN Security Switch Telephony Mgr Application Gateway Wireless Mesh Gateway Application Switch ERS 8600 Switched Firewall ERS 55xx Wireless Gateways / Switches MLT SMLT Servers Servers Edge Switching Threat Protection System 802.11 Access Intrusion Sensor Converged architecture for enterprises Enterprise Network Management • Configuration/Monitoring • Policy Services • Security Mgmt Core Switching ERS 8600

  21. Internet WVoIP Handset MCS Blackberry WLAN 2300 Secure Multimedia Zone Resilient Data Center Wireless Mesh SMLT SMLT ERS 55xx ES 470/460 ERS 8300 Real Time Threat Intel Defense Center WLAN Security Switch Telephony Mgr Application Gateway Wireless Mesh Gateway Application Switch ERS 8600 Switched Firewall CS1000 ERS 55xx Wireless Gateways / Switches MLT CallPilot SMLT Multimedia Communications Server Servers Servers Edge Switching Threat Protection System 802.11 Access Intrusion Sensor Secure Multimedia Controller Adaptive Clients PDA with MVC IP Phone Converged architecture for enterprises Secure DMZ Intelligent Traffic Mgmt Intrusion Sensor Intrusion Sensor Enterprise Network Management Switched Firewall • Configuration/Monitoring • Policy Services • Security Mgmt VPN Gateway Servers Core Switching ERS 8600

  22. What should you consider when buying LAN equipment? • Compare apples to apples • Performance • In real life? • Security • Is the security architecture based on open standards? • Price • Will you get all the features with a given price? • Technical features • E.g. is stacking just a word on a paper or a real functionality? • Warranty • Warranty does cover lost work hours, chose an equipment that has a long lifetime • Upgradebility • IPv6? Full support for standard or just some features. • Software upgrade for a CPU, programmable ASIC or a real feature of the hardware?

  23. Product comparison from brochures These are features published by manufacturers

  24. Tolly report • The Ethernet Routing Switch 5500 delivers superior stacking performance • A stack of 8 x 5500 delivers line rate performance up to 202Gbps, where Cisco and HP can only support 25.7 and 114.7 Gbps respectively • On average 36% to 44% less latency then the Cisco and HP boxes • the 5500 in an SMLT configuration delivers a 10x faster recovery time than Cisco's or HP's Rapid Spanning Tree solution • Nortel offers the lowest cost per Megabit of throughput.

  25. Product comparison in real life enviroment These are features tested in real life enviroment

  26. Security is not a product

  27. Security Reality Castle vs. Airport

  28. WAN 4. Better IDS the servers 5. IDS for the LAN too Security is NOT a product 1. Add a Firewall 3. Add Intrusion Detection 2. Firewalls are good..

  29. WAN Greater complexity = Reduced Effectiveness “Security-by-product” is not the answer Hard to keep current Hard to analyse Hard to manage

  30. RIGHT HERE Leverage the +95% coverage available from the base network Security is more like a “HORIZON” • Ask the questions: • What is the network meant to do ? • What are you trying to stop ? STOP • Where can I start ? STOP

  31. If its not part of the business, take it off the network Gold Service Classes Silver Other Security on the business agenda • QoS is the enforcing of business importance on your network • Critical traffic gets right of way • Important traffic gets a lesser allocation STOP • Other, authorised traffic gets a limited, best-effort • Anything else can be dropped … STOP

  32. Gold Service Classes Silver Other Countering the unknown • “What about a new virus or “day zero attack” • Critical traffic gets right of way • Important traffic gets a lesser allocation • Other, authorised traffic gets a limited, best-effort The worst case is containment

  33. Unleashing the power • QoS functionality comes from three key features • Classification: L2, L3, L4 ACL ACL ACL • Policing: n x Mbps ACL ACL ACL ACL ACL ACL ACL ACL ACL ACL ACL • Queuing: 8 Hardware queues ACL ACL ACL ACL ACL ACL ACL • Inherent in Nortel Ethernet products Convenient? Yes Simple? NO

  34. Realistic control through policy • Policy simplifies QoS • Configure Policy • Push to network Policy means Manageable control

  35. The uses of VLANs • Enable device collaboration • Provide CONTROLLED Isolation between device groups Tel iNet Corp Intelligent Automation = Controlled Isolation

  36. LAN Access Control • Allowing authorised hosts to access the network • Banning un-authorised hosts GO GO GO GO GO GO GO STOP

  37. The MAC address folly • “We’ll keep a table of allowed MAC addresses” • Stored on the switch • Stored on a server • Black-hat copies known MAC addresses GO GO GO GO GO GO GO GO Easily defeated, Horrendous to manage MAC

  38. Username: Password: EAPoL: Realistic access control • Also known as 802.1x • Requires a RADIUS server • Requires support on device • Additional Nortel features help simplify this GO GO STOP Secure by user + device

  39. EAPoL: Realistic access control • Also known as 802.1x • Requires a RADIUS server • Requires support on device • Additional Nortel features help simplify this Tel Corp GO • Can assign to a VLAN GO Intelligent VLAN management is essential

  40. Falling in the NAT trap • Remember, Security is a horizon • 802.1x / EAPoL is a step • What about the Black-Hat with a NAT box ? GO NAT We need to interrogate the client

  41. Taking it further • NSNA: Nortel Secure Network Access • Web based, clientless operation NSNA Server • Ability to interrogate client device

  42. Taking it further • NSNA: Nortel Secure Network Access • Web based, clientless operation • Ability to interrogate client device • Additional user controls • Apply policy to the user NSNA Server ACL ACL GO ACL Real access control for diverse environments

  43. Defense Guiding Principles • Least Privilege – min privilege to perform the job • Defense in Depth – don’t depend on just one mechanism • Choke point –force attacker to use a narrow channel • Weakest Link – attacker finds weak spot to attack • Fail-safe Stance – should deny access when system fails • Universal Participation – attacker can bypass security • Diversity of Defense – avoid break one, break all • Simplicity – keep thing simple and easy to understand

  44. Security Design Principles (cont) • Understand Your Network – profiling/baseline, traffic patterns • Design for Survivability – resiliency, reliability and availability • Separation of critical from non-critical – security zones • Securing End Hosts - segregating services within hosts • Compartmentalizing the network – logical partitions • Reducing outside visibility – use Filtering, proxy, NAT

  45. Wrap Up • Security is a horizon • What can we do sensibly? • Use Policy to give the network business priority • Make life difficult for ‘unwanted traffic’ • Access control is built in • MAC address lists aren’t real access control • NSNA a simple path to simple, flexible security

  46. Time for Questions?

  47. Backup information

  48. Internet/External Threats • Intrusions • Data compromise • Confidentiality, Integrity • Website defacement • Availability, Reputation (negative publicity) • Zombie recruitment • DoS, Liability • Information Stealing/Sniffing • Industrial espionage • Threat to national security With so many hacking tools available, how many people still think … we stand a chance to defend our networks?

  49. A Typical Network Home office VPN Gateway/Router Engineering Internet Switched Firewall Ethernet Switches Service Edge Router HR Threat Protection System Intranet VLANs VLANs What are we trying to protect against? Specifically, what are our “crown jewels”? What problems are we trying to solve? L4-7 Application Switch Wireless Security Device Communication Server Security Management

More Related