60 likes | 150 Views
Security in High Performance Networks A Practical View Tony Cataldo 5/19/04. Security is about Knowledge. Know your Business What failures are acceptable – Scope and Concurrency Know your Applications: What they do How they do it Who wrote them – what are they based on How were they tested
E N D
Security in High Performance NetworksA Practical ViewTony Cataldo5/19/04
Security is about Knowledge • Know your Business • What failures are acceptable – Scope and Concurrency • Know your Applications: • What they do • How they do it • Who wrote them – what are they based on • How were they tested • What were they tested for? –Load, Performance, Locality? • Know the Network • More than the metrics like routers, switches & locations • Architecture and Design – How do things route? • Where are un-routable packets coming from & going to? • Ingress/Egress to the Public Internet and Supplier Networks • Is there a difference? • Should there be a difference?
Know what Business your Company is in… Cars and Trucks • Design and Engineer • Research • Advanced Engineering • CAD/CAM and CAE • Manufacturing • Industrial Engineering • Materials Scheduling and Logistics • Shipping • Marketing and Sales • Dealers Independently Owned • Ad Campaigns and/or Web presence for all Brands • Financing • Service • All on a Global Basis
What Makes a High Performance Network – Low? • Bad Protocols – What should/should not run on the Network • Bad Applications – Security is not an afterthought • Testing at the wrong time • Latency • Complexity • Knowing the difference between High-Availability, Disaster-Recovery, Business-Continuity, Robustness and Reliability • Bad Security – “Depth of Security” is important, but so is type: • Router Access Control Lists’ • Firewall Diversity and Placement • Analyze the logs – Get a baseline, look for perturbations
Some Scenarios – Some Tradeoffs • Public Internet Connectivity: • Ford is a Global Company that requires low latency connectivity in its major markets therefore we have Public Internet connections in Europe, US and Singapore. Tradeoff: Simplicity vs. Latency • The connectivity in the US is provided by four different ISP’s split between two US Data Centers. Tradeoff: Disaster Recovery and Robustness vs. Easy Routing to the Public Internet • Monolithic vs. Horizontal or Vertical Scaling • Should the entrance to all Public Facing web sites have Firewall, Load-Balancing and Routing in one pair of devices for performance reasons? • Should Firewalls (weakest performance link) do deep-packet inspection or just a “speed-bump” along the way? • Know your Firewalls’ limits: Concurrent Connections, Connections/Sec. and I/O limits. Thru-put under operating conditions. • Applications Oriented Security • Most Common is Email Relays in/out with virus checking • Reverse Proxy for selected web apps. But it becomes a slippery slope when caching, load-balancing and TCP flow optimization is considered. • SSL/VPN for selected apps but how to scale, up or across?