210 likes | 702 Views
Time for Networking 3.0. Identity Defined Networking Secure Networking Made Simple. Rob Goss Regional Sales Director. COMPLEXITY. Networking & Security. Complex, Costly, Fragile, & Porous. L3 ROUTER FIREWALL RULES. interface gigabitethernet 0/3 nameif dmz security-level 50
E N D
Time for Networking 3.0 Identity Defined Networking Secure Networking Made Simple Rob Goss Regional Sales Director
Networking & Security Complex, Costly, Fragile, & Porous L3 ROUTER FIREWALL RULES interface gigabitethernet 0/3 nameifdmz security-level 50 ip address 192.168.2.1 255.255.255.0 no shutdown same-security-traffic permit inter-interface route outside 0 0 209.165.201.1 1 nat (dept1) 1 10.1.1.0 255.255.255.0 nat (dept2) 1 10.1.2.0 255.255.255.0 router rip network 10.0.0.0 default information originate version 2 ssh 209.165.200.225 255.255.255.255 outside logging trap 5 FW, RULES VLANs NAT ACLs L3 VLAN RULES NAT Router>enable Router>#configure terminal Router(config)#hostname CORP ISP(config)#interface serial 0/0/0 CORP(config-if)#description link to ISP CORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdown CORP(config)#interface fastethernet 0/1 CORP(config-if)#description link to 3560 Switch CORP(config-if)#ip address 172.31.1.5 255.255.255.252 CORP(config-if)#no shutdown ACLs L3 VPN RULES VPNs VLANs L3 ACLs RULES device(config)# ip access-list standard Net1 device(config-std-nacl-Net1)# deny host 10.157.22.26 device(config-std-nacl-Net1)# deny 10.157.29.12 device(config-std-nacl-Net1)# deny host IPHost1 device(config-std-nacl-Net1)# permit any device(config-std-nacl-Net1)# exit device(config)# int eth 1/1 device(config-if-e10000-1/1)# ip access-group Net1 in FW, RULES
u n n (c x r ) x p = y* The Root Cause: IP Addresses Used as Identity Complex firewall & networking rule sets DNS & routing updates for failover Continuous Change … per networked “thing” VPN access controls for each network Routing policies, VLANs & ACLS overhead (clients x resources) x (net & sec policy x updates) = complexity *Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE | IEEE Transactions on Software Engineering, 2010
Oil and Gas – A global Enterprise Secure connectivity and global IP mobility for previously non-routable resources Dev Ops / Support • Internet / WAN Connect the un-connectable.
Facility Automation Services Environment • 200 sites local • 300 additional throughout commonwealth • Legacy Flat Layer 2 network • New Routed Layer 3 network • 600 + switches/routers Team • 2 Network Admins and 2 System Admins • 4 Technical Services – Installers Responsibilities • Design, deploy, and manage all Facility Services • Ensure the high availability, integrity, and confidentiality of all systems • 99.999% uptime is critical • Resolve issues in minutes rather than hours
Host Identity Protocol (HIP) RFC 4423, 5201, 7401 Solving a fundamental flaw of TCP/IP networking • Proposed in 1999 by Bob Moskovitz at the IETF • Addresses the fundamental flaw in IP communications • Enables provable identity for every networked thing • Funded and developed by Military, Aerospace, and Telecommunications • In production beginning in 2006 • Ratified by IETF in April, 2015 HIP will revolutionize networking and security as we know it
The End of IP Address-Defined Networking Moving towards a trusted Identity-Defined Networking Architecture
Security is Now Native to Networking Verifiable Device Identity Creates a Simpler, More Mobile, and Effective Perimeter
Secure Networking Made Simple Identity-Defined Networking: Orchestration and Enforcement
A Unified, Resilient Network without Constraints Instantly connect, protect, and revoke anything, anywhere, anytime
Oil and Gas – A global Enterprise Secure connectivity and global IP mobility for previously non-routable resources Dev Ops / Support • Internet / WAN HIPrelay Connect the un-connectable.
Facility Automation Services Environment • 200 sites local • 300 additional throughout commonwealth • Legacy Flat Layer 2 network • New Routed Layer 3 network • 600 + switches/routers Team • 2 Network Admins and 2 System Admins • 4 Technical Services – Installers Responsibilities • Design, deploy, and manage all Facility Services • Ensure the high availability, integrity, and confidentiality of all systems • 99.999% uptime is critical • Resolve issues in minutes rather than hours
Designing, Deploying, & Managing in Chaos Problems • Centralize and secure plant services across 640+ buildings, statewide • Support old (20+ years) systems • Every Building is Unique • Maintaining old network while building out new infrastructure • Telecomm rooms w/ physical security – card & key access with limited oversight • 1 – 9 Telecomm rooms per bldg. • 700 – 3500 CU Data Jacks per bldg. BACnet Traffic Utilization & Storms – Performance & Outage Impacts • Unconfigured Tools or Flawed Procedures • Blank “Who IS” BACnet broadcast to 3,000+ GW routers • Improperly Configured Software • Default .001 change in value (CoV) for a Temperature point
Objective: network, segment, and protect Building Automation Systems for 500 sites across flat L2 network HEADCOUNT Assuming on average 1 net new Sec/Net Admin per 35-60 Firewalls deployed EQUIPMENT COST Of deploying one traditional address-based products per building TIME Estimated time to deploy: 5 days per building for one Full Time Employee (5 x 500 buildings) ~8 Additional Sec/Net Admins ~$2 Million+ 2500 FTE Days Traditional IP-based Solutions Traditional IP-based Solutions TraditionalIP-based Solutions *Traditional address-based solutions includes Firewalls / VPNs / Switching, Routing, Wireless, and Cellular Modems
Solution – Connecting and Protecting BAS / BACnet with IDN Corporate Network Building 2 Control Servers The Conductor HVAC Fire Suppression Building 1 Building 3 BACnet/IP Router HVAC HVAC Fire Suppression Lighting Building Access System
BYON for a Large University Customer: Facilities & Operations Objective: network, segment, and protect Building Automation Systems for 500 sites across flat L2 network HEADCOUNT Assuming on average 1 net new Sec/Net Admin per 35-60 Firewalls deployed EQUIPMENT COST Of deploying one traditional address-based products per building TIME Estimated time to deploy: 5 days per building for one Full Time Employee (5 x 500 buildings) ~8 Additional Sec/Net Admins ~$2 Million+ 2500 FTE Days $500,000 75 FTE Days No Additional Admins Traditional IP-based Solutions Tempered Networks Traditional IP-based Solutions TemperedNetworks TraditionalIP-based Solutions Tempered Networks *Traditional address-based solutions includes Firewalls / VPNs / Switching, Routing, Wireless, and Cellular Modems
IDN Capabilities A unified, resilient, and secure network without constraints
Learn More About HIP Come by Tempered Network’s booth to see Identity-Defined Networking in action Books • Host Identity Protocol (HIP): Towards the Secure Mobile Internet. Andrei Gurtov, Wiley & Sons, 2008 • Beyond HIP: The End to Hacking as We Know It. Richard Paine, Amazon, 2009 Papers • Secure Communication Channel Architecture for Software Defined Mobile Networks. Liyange et al., Elsevier, 2017 • The Answer to Next-Generation Security Threats. Tempered Networks, IDG, 2016 • Identity-Defined Networking: Next-Generation Architecture. Giesa, Erik, Tempered Networks, 2016 RFCs • RFC 4423 Host Identity Protocol Architecture. Nikander and Moskovitz, IETF, 2006 • RFC 5201 Host Identity Protocol. Moskovitz et al, IETF 2008 • RFC 7401 Host Identity Protocol version 2. IETF, Moskovitz et al, Ericsson Research, University of Washington, 2015 • Other related RFCs: 6092, 7042, 8002, 8003, 8004, 8005