ohio dgs 2015 presentation - future of networks - ed koehler
Post on 08-Jan-2016
17 Views
Preview:
DESCRIPTION
TRANSCRIPT
-
Private, Secure Networking for the Public SectorEd KoehlerDirector Distinguished Engineer
Ohio Digital Summit 2015
-
2014 Avaya Inc. All rights reserved. 22
Privacy in a Virtualized World
Network and Service Virtualization have transformed the IT industry Cloud Services Software Defined Networking
Security and privacy concerns are being expressed by many risk and security analystsRegulatory compliance in a virtualized environment can
be a difficult bar to reachExamples are PCI Compliance, HIPAA, Process flow
and control (SCADA) environments, Video Surveillance, etc.
-
2014 Avaya Inc. All rights reserved. 33
Security Impact What Makes this So Difficult?
Traditional networking approaches utilize IP as a utility protocol to establish service paths
These paths are prone to IP scanning techniques that are used to: Discover network topology Identify key attack vectors
Using traditional approaches for privacy and separation are costly and complex Inadvertent Routed Black Holes Poor resiliency High Capital Expenditure (CAPEX) and Operational Expenditure (OPEX)
Using IP as the utility for establishing paths means that they have to be visible. This creates a Catch-22 which in turn creates complexity and cost
-
2014 Avaya Inc. All rights reserved. 44
IP Address Explosion!
Sensors and actuators require addresses IPv6 is a huge address space
We can not afford to waste IP space on transit routes!!! Non-IP path establishment technologies
IEEE 802.1aq/IETF RFC6329 Shortest Path Bridging Avaya Fabric Connect IETF Draft enhancements for L3 and multicast
There are also implicit security concerns in using IP as a path protocol IP Scanning Infrastructure Attack Confidential Data Breach
If we can remove some of the dependency on IP to establish service paths EVERYTHING becomes much EASIER!
BGP Tables are being overrun.IPv6 is exacerbating the issue!
-
2014 Avaya Inc. All rights reserved. 55
SPB is TRULY Stealthy!
Fabric Connect is not dependent upon IP to establish the service path IP Networks become points of service within the Fabric
Service Paths are established by the use of SPB Ethernet Switched Paths within Fabric Connect As a result, path behaviors are established on a completely different plane ESPs are invisible to IP Helps to clear up IP address congestion and convoluted topologies
-
2014 Avaya Inc. All rights reserved. 66
Data Protection: Segmentation comes first!Dark Reading recommendations
Security includes all people, processes and technology Validation on where Private Data exists
Trace processes and systems Develop flow diagrams of interacting systems & Private Data
Develop documented penetration testing specific to the Private environment Hack Attack methodologies Ongoing evaluation of threats/vulnerabilities/risk
The more technologies involved in the private environment the more engineering & penetration testing required!
Fabric Connect used end to end eliminates most if not all other network technologies! Fabric Connect (IEEE 802.1aq)
Can significantly reduce ACL requirements and enhance data flow validation!
Firewalls/IDS are collapsed into a virtualized security demarcation perimeter Servers/Storage resides in encrypted virtualized storage hidden by stealth services Authentication/Authorization - Identity Engines Management applications!** Important consideration to lock down the management
environment. If it manages a system in the private environment. It is part of it!
-
2014 Avaya Inc. All rights reserved. 77
A Fabric Enabled EnterpriseDriving a LOWER TCO through SIMPLIFICATION
Based onE-LINEProvider Service
Consistent Architecture From Data Center to Campus / Metro to Branch
-
2014 Avaya Inc. All rights reserved. 88
Business Continuity 6x9s when it matters Extend @ Cloud speed Application/Context
Awareness In production service
enablement Emergency Services DR Capabilities Native Fabric Extension High Performance DC Fabric VM Mobility, Lowest Latency, Highest performance East-
West flows (near 20TB) In service maintenance and
operations
Rationale for Evolution
ONE. Enterprise Fabric PROTOCOL TIER Data Center Converged Infrastructure
Multi-Tenants Multi-Services (16M+)
LOWER TCO Reduced Time to Service
Minutes vs weeks Automated Provisioning Edge-only provisioning Green IT Cooling Power
Smart Buildings Simplified Architecture
Security 16M+ Secure Zones IP hacking prevention
PCI compliant Private Stealth networks Secure BYOD & VDI
Cloud Scale & Agility Unmatched Multicast
scalability & reliability IPTV, CCTV, Digital
Signage, CC supervisor, CC Desktop Display, IP Wallboards, etc
Embedded Monitoring Tools All cloud deployment models
supported & PODs support
Reduced TCO & Utility pricing
Enhanced Security & Cloud scale
Business Continuity DR Capabilities
Public Sector Network Evolution
-
2014 Avaya Inc. All rights reserved. 9
802.1
Protocols run independently.
PIM
Stability
Instability & Complexity
Num
ber o
f con
trol p
lane
sData Center ONLY with
legacy protocolsLegacy Model
Complex Nodal provisioningStability
Stability, Scalability & Simplicity
802.1
Fabric Connect
OAM
ONEprotocol
Num
ber o
f con
trol p
lane
s
ONE PROTOCOL E2E(L2, L3, Unicast, Multicast)Avayas Fabric Connect
Simple provisioning for end-to-end Services
A Profound Impact on how networks will be built !
OTV
-
2014 Avaya Inc. All rights reserved. 10 2015 Avaya Inc. Avaya Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya.
10
UC Zone
Corporate Zone
Guest Zone
Contractor Zone
Native Secure Multi-Tenant Architecture
Enables Security Zones Enterprise-Wide
-
2014 Avaya Inc. All rights reserved. 1111
Instability derived from complexitySDN cant solve this, we need a change
802.3
RSTP/MSTP/PVS
T+
VLANS
OSPF
PIM
Network
Link comes up
0.8 seconds later
0.5 seconds later
1.2 seconds later
20 seconds later
Business
TheProtocol
Stack
(a Stack of Protocols)
Protocols are killing usProtocols are like the never-
ending bottle of pills, each one prescribed to remedy the
problems introduced by the previous medication.
Todays protocol stacks are like a house of cards
http://packetpushers.net/does-trill-stand-a-chance-at-wide-adoption/#disqus_thread
RSTP
OSPF
BGP
PIM
MPLS
MSTP
-
2014 Avaya Inc. All rights reserved. 12
What This Means In The Real World?Configuring a single Layer 2 VPN (VLAN Extension)
Avaya Fabric Connectset routing-instances RI-IPN-L2L01 instance-type l2vpnset routing-instances RI-IPN-L2L01 interface ge-0/0/8.700
set routing-instances RI-IPN-L2L01 interface xe-0/2/0.700
set routing-instances RI-IPN-L2L01 route-distinguisher 13.13.13.1:1013
set routing-instances RI-IPN-L2L01 vrf-target target:64999:1013
set routing-instances RI-IPN-L2L01 protocols l2vpn encapsulation-type ethernet-vlan
set routing-instances RI-IPN-L2L01 protocols l2vpn site H15-H15-IPN-L2L01 site-identifier 1
set routing-instances RI-IPN-L2L01 protocols l2vpn site H15-H15-IPN-L2L01 interface xe-0/2/0.700 remote-site-id 11
set routing-instances RI-IPN-L2L01 protocols l2vpn site RH15-H15-IPN-L2L01 site-identifier 11
set routing-instances RI-IPN-L2L01 protocols l2vpn site RH15-H15-IPN-L2L01 interface ge-0/0/8.700 remote-site-id 1
set interfaces ge-0/0/8 unit 700 description L2-IPN-L2L01
set interfaces ge-0/0/8 unit 700 encapsulation vlan-ccc
set interfaces ge-0/0/8 unit 700 vlan-id 613
First device donenow, onto the next...
(Now this might take a while)
(Actually, we need to speed things up)
Conventional L2 VPN (Cisco)
vlan i-sid 7 700
DONE end-to-end..!
-
2014 Avaya Inc. All rights reserved. 1313
VLANVLANI-SID
Secure L3 StealthNetwork (IP VPN)
Subnet A Subnet B
VRFVRF
Fabric Connect Cloud
Secure L2 Stealth Networks
Core DistributionData CenterPrivateApplication(Client)
PrivateApplication(Server)
Secure Single Port
Modularity and sampling concept End to end Stealth
Remote site systemsApp/OS
Switch/Network
Network Distribution
Systems
Firewall/IDSSecurity
Demarcation
Data Center Systems
Compute Systems
Storage Systems
FW/IDS
IDE
-
2014 Avaya Inc. All rights reserved. 1414
In Conclusion
While IP Virtual Private Networks are nothing new, IEEE 802.1aq takes the concept to a new level with Fabric Connect Flexible and nimble service extensions lend itself to an
incredibly mobile secure networking paradigm Stealth Networking Fast, nimble and invisible Stealth Networks can be used to facilitate traditional privacy
concerns such as PCI and HIPAA compliance Next generation private network requirements such as
mobility for emergency response, military and/or field based operations Fabric Connect can deliver all modes of secure private
connectivity Layer 2 Stealth requirements Layer 3 Stealth requirements Mobile Stealth requirements
-
Private, Secure Networking for the Public SectorPrivacy in a Virtualized WorldSecurity Impact What Makes this So Difficult?IP Address Explosion!SPB is TRULY Stealthy!Data Protection: Segmentation comes first!Dark Reading recommendationsA Fabric Enabled EnterpriseDriving a LOWER TCO through SIMPLIFICATIONRationale for EvolutionSlide Number 9Native Secure Multi-Tenant ArchitectureInstability derived from complexitySDN cant solve this, we need a changeWhat This Means In The Real World?Modularity and sampling concept End to end StealthIn ConclusionSlide Number 15
top related