Private, Secure Networking for the Public SectorEd KoehlerDirector Distinguished Engineer

Ohio Digital Summit 2015

2014 Avaya Inc. All rights reserved. 22

Privacy in a Virtualized World

Network and Service Virtualization have transformed the IT industry Cloud Services Software Defined Networking

Security and privacy concerns are being expressed by many risk and security analystsRegulatory compliance in a virtualized environment can

be a difficult bar to reachExamples are PCI Compliance, HIPAA, Process flow

and control (SCADA) environments, Video Surveillance, etc.

2014 Avaya Inc. All rights reserved. 33

Security Impact What Makes this So Difficult?

Traditional networking approaches utilize IP as a utility protocol to establish service paths

These paths are prone to IP scanning techniques that are used to: Discover network topology Identify key attack vectors

Using traditional approaches for privacy and separation are costly and complex Inadvertent Routed Black Holes Poor resiliency High Capital Expenditure (CAPEX) and Operational Expenditure (OPEX)

Using IP as the utility for establishing paths means that they have to be visible. This creates a Catch-22 which in turn creates complexity and cost

2014 Avaya Inc. All rights reserved. 44

IP Address Explosion!

Sensors and actuators require addresses IPv6 is a huge address space

We can not afford to waste IP space on transit routes!!! Non-IP path establishment technologies

IEEE 802.1aq/IETF RFC6329 Shortest Path Bridging Avaya Fabric Connect IETF Draft enhancements for L3 and multicast

There are also implicit security concerns in using IP as a path protocol IP Scanning Infrastructure Attack Confidential Data Breach

If we can remove some of the dependency on IP to establish service paths EVERYTHING becomes much EASIER!

BGP Tables are being overrun.IPv6 is exacerbating the issue!

2014 Avaya Inc. All rights reserved. 55

SPB is TRULY Stealthy!

Fabric Connect is not dependent upon IP to establish the service path IP Networks become points of service within the Fabric

Service Paths are established by the use of SPB Ethernet Switched Paths within Fabric Connect As a result, path behaviors are established on a completely different plane ESPs are invisible to IP Helps to clear up IP address congestion and convoluted topologies

2014 Avaya Inc. All rights reserved. 66

Data Protection: Segmentation comes first!Dark Reading recommendations

Security includes all people, processes and technology Validation on where Private Data exists

Trace processes and systems Develop flow diagrams of interacting systems & Private Data

Develop documented penetration testing specific to the Private environment Hack Attack methodologies Ongoing evaluation of threats/vulnerabilities/risk

The more technologies involved in the private environment the more engineering & penetration testing required!

Fabric Connect used end to end eliminates most if not all other network technologies! Fabric Connect (IEEE 802.1aq)

Can significantly reduce ACL requirements and enhance data flow validation!

Firewalls/IDS are collapsed into a virtualized security demarcation perimeter Servers/Storage resides in encrypted virtualized storage hidden by stealth services Authentication/Authorization - Identity Engines Management applications!** Important consideration to lock down the management

environment. If it manages a system in the private environment. It is part of it!

2014 Avaya Inc. All rights reserved. 77

A Fabric Enabled EnterpriseDriving a LOWER TCO through SIMPLIFICATION

Based onE-LINEProvider Service

Consistent Architecture From Data Center to Campus / Metro to Branch

2014 Avaya Inc. All rights reserved. 88

Business Continuity 6x9s when it matters Extend @ Cloud speed Application/Context

Awareness In production service

enablement Emergency Services DR Capabilities Native Fabric Extension High Performance DC Fabric VM Mobility, Lowest Latency, Highest performance East-

West flows (near 20TB) In service maintenance and

operations

Rationale for Evolution

ONE. Enterprise Fabric PROTOCOL TIER Data Center Converged Infrastructure

Multi-Tenants Multi-Services (16M+)

LOWER TCO Reduced Time to Service

Minutes vs weeks Automated Provisioning Edge-only provisioning Green IT Cooling Power

Smart Buildings Simplified Architecture

Security 16M+ Secure Zones IP hacking prevention

PCI compliant Private Stealth networks Secure BYOD & VDI

Cloud Scale & Agility Unmatched Multicast

scalability & reliability IPTV, CCTV, Digital

Signage, CC supervisor, CC Desktop Display, IP Wallboards, etc

Embedded Monitoring Tools All cloud deployment models

supported & PODs support

Reduced TCO & Utility pricing

Enhanced Security & Cloud scale

Business Continuity DR Capabilities

Public Sector Network Evolution

2014 Avaya Inc. All rights reserved. 9

802.1

Protocols run independently.

PIM

Stability

Instability & Complexity

Num

ber o

f con

trol p

lane

sData Center ONLY with

legacy protocolsLegacy Model

Complex Nodal provisioningStability

Stability, Scalability & Simplicity

802.1

Fabric Connect

OAM

ONEprotocol

Num

ber o

f con

trol p

lane

s

ONE PROTOCOL E2E(L2, L3, Unicast, Multicast)Avayas Fabric Connect

Simple provisioning for end-to-end Services

A Profound Impact on how networks will be built !

OTV

2014 Avaya Inc. All rights reserved. 10 2015 Avaya Inc. Avaya Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya.

10

UC Zone

Corporate Zone

Guest Zone

Contractor Zone

Native Secure Multi-Tenant Architecture

Enables Security Zones Enterprise-Wide

2014 Avaya Inc. All rights reserved. 1111

Instability derived from complexitySDN cant solve this, we need a change

802.3

RSTP/MSTP/PVS

T+

VLANS

OSPF

PIM

Network

Link comes up

0.8 seconds later

0.5 seconds later

1.2 seconds later

20 seconds later

Business

TheProtocol

Stack

(a Stack of Protocols)

Protocols are killing usProtocols are like the never-

ending bottle of pills, each one prescribed to remedy the

problems introduced by the previous medication.

Todays protocol stacks are like a house of cards

http://packetpushers.net/does-trill-stand-a-chance-at-wide-adoption/#disqus_thread

RSTP

OSPF

BGP

PIM

MPLS

MSTP

2014 Avaya Inc. All rights reserved. 12

What This Means In The Real World?Configuring a single Layer 2 VPN (VLAN Extension)

Avaya Fabric Connectset routing-instances RI-IPN-L2L01 instance-type l2vpnset routing-instances RI-IPN-L2L01 interface ge-0/0/8.700

set routing-instances RI-IPN-L2L01 interface xe-0/2/0.700

set routing-instances RI-IPN-L2L01 route-distinguisher 13.13.13.1:1013

set routing-instances RI-IPN-L2L01 vrf-target target:64999:1013

set routing-instances RI-IPN-L2L01 protocols l2vpn encapsulation-type ethernet-vlan

set routing-instances RI-IPN-L2L01 protocols l2vpn site H15-H15-IPN-L2L01 site-identifier 1

set routing-instances RI-IPN-L2L01 protocols l2vpn site H15-H15-IPN-L2L01 interface xe-0/2/0.700 remote-site-id 11

set routing-instances RI-IPN-L2L01 protocols l2vpn site RH15-H15-IPN-L2L01 site-identifier 11

set routing-instances RI-IPN-L2L01 protocols l2vpn site RH15-H15-IPN-L2L01 interface ge-0/0/8.700 remote-site-id 1

set interfaces ge-0/0/8 unit 700 description L2-IPN-L2L01

set interfaces ge-0/0/8 unit 700 encapsulation vlan-ccc

set interfaces ge-0/0/8 unit 700 vlan-id 613

First device donenow, onto the next...

(Now this might take a while)

(Actually, we need to speed things up)

Conventional L2 VPN (Cisco)

vlan i-sid 7 700

DONE end-to-end..!

2014 Avaya Inc. All rights reserved. 1313

VLANVLANI-SID

Secure L3 StealthNetwork (IP VPN)

Subnet A Subnet B

VRFVRF

Fabric Connect Cloud

Secure L2 Stealth Networks

Core DistributionData CenterPrivateApplication(Client)

PrivateApplication(Server)

Secure Single Port

Modularity and sampling concept End to end Stealth

Remote site systemsApp/OS

Switch/Network

Network Distribution

Systems

Firewall/IDSSecurity

Demarcation

Data Center Systems

Compute Systems

Storage Systems

FW/IDS

IDE

2014 Avaya Inc. All rights reserved. 1414

In Conclusion

While IP Virtual Private Networks are nothing new, IEEE 802.1aq takes the concept to a new level with Fabric Connect Flexible and nimble service extensions lend itself to an

incredibly mobile secure networking paradigm Stealth Networking Fast, nimble and invisible Stealth Networks can be used to facilitate traditional privacy

concerns such as PCI and HIPAA compliance Next generation private network requirements such as

mobility for emergency response, military and/or field based operations Fabric Connect can deliver all modes of secure private

connectivity Layer 2 Stealth requirements Layer 3 Stealth requirements Mobile Stealth requirements

Private, Secure Networking for the Public SectorPrivacy in a Virtualized WorldSecurity Impact What Makes this So Difficult?IP Address Explosion!SPB is TRULY Stealthy!Data Protection: Segmentation comes first!Dark Reading recommendationsA Fabric Enabled EnterpriseDriving a LOWER TCO through SIMPLIFICATIONRationale for EvolutionSlide Number 9Native Secure Multi-Tenant ArchitectureInstability derived from complexitySDN cant solve this, we need a changeWhat This Means In The Real World?Modularity and sampling concept End to end StealthIn ConclusionSlide Number 15