Save 37% off PRO during our Black Friday Sale! »

Perimeter-less networks: The death of the LAN

C8a8889a30543fdb8cf2841a19d43834?s=47 Evan Gilman
October 14, 2015

Perimeter-less networks: The death of the LAN

The transition to the cloud has not come without its fair share of challenges, network connectivity being one of the most notorious. With less control over the network than ever before, declaring an architecture is oftentimes more trouble than it’s worth, especially if you have more than one cloud provider.

Wrestling control over your network architecture is a daunting task while operating in the cloud. Instead, we can leverage automation to provide software-defined network policies that can be enforced in a distributed way. Taking this approach, long gone are the days of VPN tunnels, perimeter firewalls, and private networks.

In this talk, we’ll go over why network topology doesn’t matter like it used to, and how software-defined policies and automation can come together to provide your systems with a self-configuring decentralized network.

C8a8889a30543fdb8cf2841a19d43834?s=128

Evan Gilman

October 14, 2015
Tweet

Transcript

  1. 10/13/15 @evan2645 Perimeter-less Networks: Death of the LAN EVAN GILMAN

  2. 10/13/15 @evan2645 About Me PERIMETER-LESS NETWORKS: DEATH OF THE LAN

  3. 10/13/15 @evan2645 About This Talk RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  4. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN What is

    a perimeter-less network? Evolution of the Perimeter Network Modern Perimeter Responsibilities Obsoleting the Perimeter Agenda
  5. 10/13/15 @evan2645 What Is It? RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  6. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Just what

    it sounds like! All parts equal Zero Trust What is a Perimeter-less Network?
  7. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN More Scalable

    Less Complex It just makes sense… Why Do I Want One?
  8. 10/13/15 @evan2645 Perimeter Network Evolution RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  9. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN
  10. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN
  11. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN
  12. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet
  13. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet
  14. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN RFC 1597

    Accelerated Growth
  15. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Internet
  16. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet
  17. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet
  18. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Complete

    isolation if not for the ALG’s • Security controls few and far between • Watch them like dogs! • DMZ is invented Security Concerns
  19. 10/13/15 @evan2645 Security Concerns PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. DMZ Internet Stub Area
  20. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT NAT

  21. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Provided

    general connectivity for private networks • Firewall is a natural place for NAT • Modern notion of ‘perimeter firewall’ is born NAT
  22. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet + NAT
  23. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet Perimeter Network + NAT
  24. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Device

    Challenges
  25. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Perimeter Device Challenges
  26. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Perimeter Device Challenges
  27. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Redundancy Perimeter Device Challenges
  28. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Multi-tenancy

    • DC’s running on untrusted hardware • Network is not really yours anymore… Enter the Present the CLOUD
  29. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Emulate

    perimeter architecture • Familiar, proven, comfortable, ‘de facto’ • Does it really still make sense though? Enter the Present the CLOUD
  30. 10/13/15 @evan2645 Perimeter Responsibilities RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  31. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Responsibilities

  32. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Collection

    of network security devices • Network Translation/Mapping • Policy Definition • Policy Enforcement • Authentication, Authorization, and Access (AAA) Perimeter Responsibilities
  33. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Translation/Mapping

  34. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? Translation/Mapping
  35. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays Translation/Mapping
  36. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs Translation/Mapping
  37. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs • Environmental control Translation/Mapping
  38. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ Translation/Mapping
  39. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT Translation/Mapping
  40. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted Translation/Mapping
  41. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have Translation/Mapping
  42. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have • IPv6 is the nail in the coffin Translation/Mapping
  43. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping
  44. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping
  45. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping
  46. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • If

    it’s not centralized, it’s decentralized • Distributing enforcement means more touch points • Need automation to scale • Key objective: Policy Config Generation Policy Definition and Enforcement
  47. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Configuration

    Management (CM) has changed the landscape • End-state declaration • Often brings infra/topology metadata • Declare security policy state given CM metadata Policy Definition
  48. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Policy Definition

  49. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! Policy Definition
  50. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies Policy Definition
  51. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date Policy Definition
  52. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention Policy Definition
  53. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention • Version Control!!!1 Policy Definition
  54. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement
  55. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement
  56. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware AAA
  57. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN AAA
  58. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN • Self-aware hosts can do authorization and access AAA
  59. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) AAA
  60. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication AAA
  61. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI AAA
  62. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI • User example: username/password login w/ TOTP AAA
  63. 10/13/15 @evan2645 Obsoleting The Perimeter RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  64. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Strategies for

    policy generation and management Strategies for distributed policy enforcement Strategies for AAA Perimeter-free
  65. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Mr. Gorbachev…

    Perimeter-free
  66. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN All hosts

    independently instrumented and configured Zero dependency on underlying network architecture No more VPN, all hosts communicate P2P-style Less complexity, higher availability, more secure ‘A collection of Internet hosts’ Perimeter-free
  67. 10/13/15 @evan2645 Thank you! Q&A RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF