Download
time for networking 3 0 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Time for Networking 3.0 PowerPoint Presentation
Download Presentation
Time for Networking 3.0

Time for Networking 3.0

465 Views Download Presentation
Download Presentation

Time for Networking 3.0

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Time for Networking 3.0 Identity Defined Networking Secure Networking Made Simple Rob Goss Regional Sales Director

  2. COMPLEXITY

  3. Networking & Security Complex, Costly, Fragile, & Porous L3 ROUTER FIREWALL RULES interface gigabitethernet 0/3 nameifdmz    security-level 50 ip address 192.168.2.1 255.255.255.0    no shutdown same-security-traffic permit inter-interface route outside 0 0 209.165.201.1 1 nat (dept1) 1 10.1.1.0 255.255.255.0 nat (dept2) 1 10.1.2.0 255.255.255.0 router rip    network 10.0.0.0    default information originate    version 2 ssh 209.165.200.225 255.255.255.255 outside logging trap 5 FW, RULES VLANs NAT ACLs L3 VLAN RULES NAT Router>enable Router>#configure terminal Router(config)#hostname CORP ISP(config)#interface serial 0/0/0 CORP(config-if)#description link to ISP CORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdown CORP(config)#interface fastethernet 0/1 CORP(config-if)#description link to 3560 Switch CORP(config-if)#ip address 172.31.1.5 255.255.255.252 CORP(config-if)#no shutdown ACLs L3 VPN RULES VPNs VLANs L3 ACLs RULES device(config)# ip access-list standard Net1 device(config-std-nacl-Net1)# deny host 10.157.22.26 device(config-std-nacl-Net1)# deny 10.157.29.12 device(config-std-nacl-Net1)# deny host IPHost1 device(config-std-nacl-Net1)# permit any device(config-std-nacl-Net1)# exit device(config)# int eth 1/1 device(config-if-e10000-1/1)# ip access-group Net1 in FW, RULES

  4. u n n (c x r ) x p = y* The Root Cause: IP Addresses Used as Identity Complex firewall & networking rule sets DNS & routing updates for failover Continuous Change … per networked “thing” VPN access controls for each network Routing policies, VLANs & ACLS overhead (clients x resources) x (net & sec policy x updates) = complexity *Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE | IEEE Transactions on Software Engineering, 2010

  5. Oil and Gas – A global Enterprise Secure connectivity and global IP mobility for previously non-routable resources Dev Ops / Support • Internet / WAN Connect the un-connectable.

  6. Facility Automation Services Environment • 200 sites local • 300 additional throughout commonwealth • Legacy Flat Layer 2 network • New Routed Layer 3 network • 600 + switches/routers Team • 2 Network Admins and 2 System Admins • 4 Technical Services – Installers Responsibilities • Design, deploy, and manage all Facility Services • Ensure the high availability, integrity, and confidentiality of all systems • 99.999% uptime is critical • Resolve issues in minutes rather than hours

  7. HIP

  8. Host Identity Protocol (HIP) RFC 4423, 5201, 7401 Solving a fundamental flaw of TCP/IP networking • Proposed in 1999 by Bob Moskovitz at the IETF • Addresses the fundamental flaw in IP communications • Enables provable identity for every networked thing • Funded and developed by Military, Aerospace, and Telecommunications • In production beginning in 2006 • Ratified by IETF in April, 2015 HIP will revolutionize networking and security as we know it

  9. The End of IP Address-Defined Networking Moving towards a trusted Identity-Defined Networking Architecture

  10. Security is Now Native to Networking Verifiable Device Identity Creates a Simpler, More Mobile, and Effective Perimeter

  11. Secure Networking Made Simple Identity-Defined Networking:  Orchestration and Enforcement

  12. A Unified, Resilient Network without Constraints Instantly connect, protect, and revoke anything, anywhere, anytime

  13. Oil and Gas – A global Enterprise Secure connectivity and global IP mobility for previously non-routable resources Dev Ops / Support • Internet / WAN HIPrelay Connect the un-connectable.

  14. Facility Automation Services Environment • 200 sites local • 300 additional throughout commonwealth • Legacy Flat Layer 2 network • New Routed Layer 3 network • 600 + switches/routers Team • 2 Network Admins and 2 System Admins • 4 Technical Services – Installers Responsibilities • Design, deploy, and manage all Facility Services • Ensure the high availability, integrity, and confidentiality of all systems • 99.999% uptime is critical • Resolve issues in minutes rather than hours

  15. Designing, Deploying, & Managing in Chaos Problems • Centralize and secure plant services across 640+ buildings, statewide • Support old (20+ years) systems • Every Building is Unique • Maintaining old network while building out new infrastructure • Telecomm rooms w/ physical security – card & key access with limited oversight • 1 – 9 Telecomm rooms per bldg. • 700 – 3500 CU Data Jacks per bldg. BACnet Traffic Utilization & Storms – Performance & Outage Impacts • Unconfigured Tools or Flawed Procedures • Blank “Who IS” BACnet broadcast to 3,000+ GW routers • Improperly Configured Software • Default .001 change in value (CoV) for a Temperature point

  16. Objective: network, segment, and protect Building Automation Systems for 500 sites across flat L2 network HEADCOUNT Assuming on average 1 net new Sec/Net Admin per 35-60 Firewalls deployed EQUIPMENT COST Of deploying one traditional address-based products per building TIME Estimated time to deploy: 5 days per building for one Full Time Employee (5 x 500 buildings) ~8 Additional Sec/Net Admins ~$2 Million+ 2500 FTE Days Traditional IP-based Solutions Traditional IP-based Solutions TraditionalIP-based Solutions *Traditional address-based solutions includes Firewalls / VPNs / Switching, Routing, Wireless, and Cellular Modems

  17. Solution – Connecting and Protecting BAS / BACnet with IDN Corporate Network Building 2 Control Servers The Conductor HVAC Fire Suppression Building 1 Building 3 BACnet/IP Router HVAC HVAC Fire Suppression Lighting Building Access System

  18. BYON for a Large University Customer: Facilities & Operations Objective: network, segment, and protect Building Automation Systems for 500 sites across flat L2 network HEADCOUNT Assuming on average 1 net new Sec/Net Admin per 35-60 Firewalls deployed EQUIPMENT COST Of deploying one traditional address-based products per building TIME Estimated time to deploy: 5 days per building for one Full Time Employee (5 x 500 buildings) ~8 Additional Sec/Net Admins ~$2 Million+ 2500 FTE Days $500,000 75 FTE Days No Additional Admins Traditional IP-based Solutions Tempered Networks Traditional IP-based Solutions TemperedNetworks TraditionalIP-based Solutions Tempered Networks *Traditional address-based solutions includes Firewalls / VPNs / Switching, Routing, Wireless, and Cellular Modems

  19. IDN Capabilities A unified, resilient, and secure network without constraints

  20. Learn More About HIP Come by Tempered Network’s booth to see Identity-Defined Networking in action Books • Host Identity Protocol (HIP): Towards the Secure Mobile Internet. Andrei Gurtov, Wiley & Sons, 2008 • Beyond HIP: The End to Hacking as We Know It. Richard Paine, Amazon, 2009 Papers • Secure Communication Channel Architecture for Software Defined Mobile Networks. Liyange et al., Elsevier, 2017 • The Answer to Next-Generation Security Threats. Tempered Networks, IDG, 2016 • Identity-Defined Networking: Next-Generation Architecture. Giesa, Erik, Tempered Networks, 2016 RFCs • RFC 4423 Host Identity Protocol Architecture. Nikander and Moskovitz, IETF, 2006 • RFC 5201 Host Identity Protocol. Moskovitz et al, IETF 2008 • RFC 7401 Host Identity Protocol version 2. IETF, Moskovitz et al, Ericsson Research, University of Washington, 2015 • Other related RFCs: 6092, 7042, 8002, 8003, 8004, 8005

  21. Thank You!