Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Perimeter-less networks: The death of the LAN

Evan Gilman
October 14, 2015
Technology
0
260

Perimeter-less networks: The death of the LAN

The transition to the cloud has not come without its fair share of challenges, network connectivity being one of the most notorious. With less control over the network than ever before, declaring an architecture is oftentimes more trouble than it’s worth, especially if you have more than one cloud provider.

Wrestling control over your network architecture is a daunting task while operating in the cloud. Instead, we can leverage automation to provide software-defined network policies that can be enforced in a distributed way. Taking this approach, long gone are the days of VPN tunnels, perimeter firewalls, and private networks.

In this talk, we’ll go over why network topology doesn’t matter like it used to, and how software-defined policies and automation can come together to provide your systems with a self-configuring decentralized network.

Evan Gilman

October 14, 2015
Tweet

More Decks by Evan Gilman

See All by Evan Gilman
Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments
evan2645
2
220
Zero Trust Networks: Building Trusted Systems in Untrusted Networks
evan2645
0
150
Zero Trust Networks: Building Systems in Untrusted Networks
evan2645
0
180
Infra as Code: The Organizational Bottleneck and the Shared Service Anti-Pattern
evan2645
0
260
Resilient Infrastructure Automation with Serf
evan2645
3
340
Bridging the Great Divide
evan2645
0
49
Bloated Chefs: A Tale of Gluttony and the Path to Enlightenment
evan2645
0
71
Inside the End-to-End Provider Testing Suite
evan2645
0
40

Other Decks in Technology

See All in Technology
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
330
SREとその組織類型
tatsuo48
8
1.5k
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
580
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
190
日本におけるデータエンジニアリングのこれまでとこれから
foursue
10
2.3k
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
740
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
220
社内勉強会運営のコツ
senoo
6
1.1k
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.8k
Signals Unleashed: The Full Guide
rainerhahnekamp
0
360
転移学習とドメイン適応の基礎
kmatsui
2
570

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
How to name files
jennybc
64
92k
BBQ
matthewcrist
80
8.7k
Done Done
chrislema
178
15k
4 Signs Your Business is Dying
shpigford
175
21k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Building Adaptive Systems
keathley
30
1.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
321
20k
How STYLIGHT went responsive
nonsquared
92
4.8k
Designing for Performance
lara
601
67k
GraphQLとの向き合い方2022年版
quramy
31
12k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k

Transcript

  1. 10/13/15 @evan2645 Perimeter-less Networks: Death of the LAN EVAN GILMAN

  2. 10/13/15 @evan2645 About Me PERIMETER-LESS NETWORKS: DEATH OF THE LAN

  3. 10/13/15 @evan2645 About This Talk RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  4. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN What is

    a perimeter-less network? Evolution of the Perimeter Network Modern Perimeter Responsibilities Obsoleting the Perimeter Agenda

  5. 10/13/15 @evan2645 What Is It? RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  6. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Just what

    it sounds like! All parts equal Zero Trust What is a Perimeter-less Network?

  7. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN More Scalable

    Less Complex It just makes sense… Why Do I Want One?

  8. 10/13/15 @evan2645 Perimeter Network Evolution RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  9. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  10. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  11. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  12. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet

  13. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet

  14. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN RFC 1597

    Accelerated Growth

  15. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Internet

  16. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet

  17. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet

  18. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Complete

    isolation if not for the ALG’s • Security controls few and far between • Watch them like dogs! • DMZ is invented Security Concerns

  19. 10/13/15 @evan2645 Security Concerns PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. DMZ Internet Stub Area

  20. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT NAT

  21. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Provided

    general connectivity for private networks • Firewall is a natural place for NAT • Modern notion of ‘perimeter firewall’ is born NAT

  22. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet + NAT

  23. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet Perimeter Network + NAT

  24. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Device

    Challenges

  25. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Perimeter Device Challenges

  26. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Perimeter Device Challenges

  27. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Redundancy Perimeter Device Challenges

  28. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Multi-tenancy

    • DC’s running on untrusted hardware • Network is not really yours anymore… Enter the Present the CLOUD

  29. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Emulate

    perimeter architecture • Familiar, proven, comfortable, ‘de facto’ • Does it really still make sense though? Enter the Present the CLOUD

  30. 10/13/15 @evan2645 Perimeter Responsibilities RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  31. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Responsibilities

  32. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Collection

    of network security devices • Network Translation/Mapping • Policy Definition • Policy Enforcement • Authentication, Authorization, and Access (AAA) Perimeter Responsibilities

  33. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Translation/Mapping

  34. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? Translation/Mapping

  35. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays Translation/Mapping

  36. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs Translation/Mapping

  37. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs • Environmental control Translation/Mapping

  38. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ Translation/Mapping

  39. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT Translation/Mapping

  40. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted Translation/Mapping

  41. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have Translation/Mapping

  42. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have • IPv6 is the nail in the coffin Translation/Mapping

  43. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  44. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  45. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  46. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • If

    it’s not centralized, it’s decentralized • Distributing enforcement means more touch points • Need automation to scale • Key objective: Policy Config Generation Policy Definition and Enforcement

  47. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Configuration

    Management (CM) has changed the landscape • End-state declaration • Often brings infra/topology metadata • Declare security policy state given CM metadata Policy Definition

  48. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Policy Definition

  49. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! Policy Definition

  50. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies Policy Definition

  51. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date Policy Definition

  52. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention Policy Definition

  53. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention • Version Control!!!1 Policy Definition

  54. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

  55. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

  56. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware AAA

  57. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN AAA

  58. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN • Self-aware hosts can do authorization and access AAA

  59. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) AAA

  60. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication AAA

  61. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI AAA

  62. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI • User example: username/password login w/ TOTP AAA

  63. 10/13/15 @evan2645 Obsoleting The Perimeter RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  64. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Strategies for

    policy generation and management Strategies for distributed policy enforcement Strategies for AAA Perimeter-free

  65. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Mr. Gorbachev…

    Perimeter-free

  66. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN All hosts

    independently instrumented and configured Zero dependency on underlying network architecture No more VPN, all hosts communicate P2P-style Less complexity, higher availability, more secure ‘A collection of Internet hosts’ Perimeter-free

  67. 10/13/15 @evan2645 Thank you! Q&A RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF