Tweet
Tweet

Slide 1

Slide 1 text

10/13/15 @evan2645 Perimeter-less Networks: Death of the LAN EVAN GILMAN

Slide 2

Slide 2 text

10/13/15 @evan2645 About Me PERIMETER-LESS NETWORKS: DEATH OF THE LAN

Slide 3

Slide 3 text

10/13/15 @evan2645 About This Talk RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

Slide 4

Slide 4 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN What is a perimeter-less network? Evolution of the Perimeter Network Modern Perimeter Responsibilities Obsoleting the Perimeter Agenda

Slide 5

Slide 5 text

10/13/15 @evan2645 What Is It? RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

Slide 6

Slide 6 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Just what it sounds like! All parts equal Zero Trust What is a Perimeter-less Network?

Slide 7

Slide 7 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN More Scalable Less Complex It just makes sense… Why Do I Want One?

Slide 8

Slide 8 text

10/13/15 @evan2645 Perimeter Network Evolution RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

Slide 9

Slide 9 text

10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE LAN

Slide 10

Slide 10 text

10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE LAN

Slide 11

Slide 11 text

10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE LAN

Slide 12

Slide 12 text

10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE LAN Internet

Slide 13

Slide 13 text

10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE LAN Internet

Slide 14

Slide 14 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN RFC 1597 Accelerated Growth

Slide 15

Slide 15 text

10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN Internet

Slide 16

Slide 16 text

10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN Corp. Internet

Slide 17

Slide 17 text

10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN Corp. Internet

Slide 18

Slide 18 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Complete isolation if not for the ALG’s • Security controls few and far between • Watch them like dogs! • DMZ is invented Security Concerns

Slide 19

Slide 19 text

10/13/15 @evan2645 Security Concerns PERIMETER-LESS NETWORKS: DEATH OF THE LAN Corp. DMZ Internet Stub Area

Slide 20

Slide 20 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT NAT

Slide 21

Slide 21 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Provided general connectivity for private networks • Firewall is a natural place for NAT • Modern notion of ‘perimeter firewall’ is born NAT

Slide 22

Slide 22 text

10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE LAN Corp. DMZ Internet + NAT

Slide 23

Slide 23 text

10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE LAN Corp. DMZ Internet Perimeter Network + NAT

Slide 24

Slide 24 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Device Challenges

Slide 25

Slide 25 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance Perimeter Device Challenges

Slide 26

Slide 26 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance Throughput Perimeter Device Challenges

Slide 27

Slide 27 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance Throughput Redundancy Perimeter Device Challenges

Slide 28

Slide 28 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Multi-tenancy • DC’s running on untrusted hardware • Network is not really yours anymore… Enter the Present the CLOUD

Slide 29

Slide 29 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Emulate perimeter architecture • Familiar, proven, comfortable, ‘de facto’ • Does it really still make sense though? Enter the Present the CLOUD

Slide 30

Slide 30 text

10/13/15 @evan2645 Perimeter Responsibilities RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

Slide 31

Slide 31 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Responsibilities

Slide 32

Slide 32 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Collection of network security devices • Network Translation/Mapping • Policy Definition • Policy Enforcement • Authentication, Authorization, and Access (AAA) Perimeter Responsibilities

Slide 33

Slide 33 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Translation/Mapping

Slide 34

Slide 34 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why waste public addresses on stuff that will never need it? Translation/Mapping

Slide 35

Slide 35 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why waste public addresses on stuff that will never need it? • Airport arrival/departure displays Translation/Mapping

Slide 36

Slide 36 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs Translation/Mapping

Slide 37

Slide 37 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs • Environmental control Translation/Mapping

Slide 38

Slide 38 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address Allocation for Private Internets’ Translation/Mapping

Slide 39

Slide 39 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address Allocation for Private Internets’ • No mention of NAT Translation/Mapping

Slide 40

Slide 40 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted Translation/Mapping

Slide 41

Slide 41 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have Translation/Mapping

Slide 42

Slide 42 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have • IPv6 is the nail in the coffin Translation/Mapping

Slide 43

Slide 43 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s for the birds Translation/Mapping

Slide 44

Slide 44 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s for the birds Translation/Mapping

Slide 45

Slide 45 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s for the birds Translation/Mapping

Slide 46

Slide 46 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • If it’s not centralized, it’s decentralized • Distributing enforcement means more touch points • Need automation to scale • Key objective: Policy Config Generation Policy Definition and Enforcement

Slide 47

Slide 47 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Configuration Management (CM) has changed the landscape • End-state declaration • Often brings infra/topology metadata • Declare security policy state given CM metadata Policy Definition

Slide 48

Slide 48 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Policy Definition

Slide 49

Slide 49 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy as code! Policy Definition

Slide 50

Slide 50 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy as code! • Role/Type-based policies Policy Definition

Slide 51

Slide 51 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy as code! • Role/Type-based policies • Metadata store is up-to-date Policy Definition

Slide 52

Slide 52 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention Policy Definition

Slide 53

Slide 53 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention • Version Control!!!1 Policy Definition

Slide 54

Slide 54 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

Slide 55

Slide 55 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

Slide 56

Slide 56 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All hosts reachable, self-aware AAA

Slide 57

Slide 57 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All hosts reachable, self-aware • Endpoint AAA - no more VPN AAA

Slide 58

Slide 58 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All hosts reachable, self-aware • Endpoint AAA - no more VPN • Self-aware hosts can do authorization and access AAA

Slide 59

Slide 59 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication backend same as before (LDAP, RADIUS, etc) AAA

Slide 60

Slide 60 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication backend same as before (LDAP, RADIUS, etc) • Device vs User authentication AAA

Slide 61

Slide 61 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI AAA

Slide 62

Slide 62 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI • User example: username/password login w/ TOTP AAA

Slide 63

Slide 63 text

10/13/15 @evan2645 Obsoleting The Perimeter RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

Slide 64

Slide 64 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Strategies for policy generation and management Strategies for distributed policy enforcement Strategies for AAA Perimeter-free

Slide 65

Slide 65 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Mr. Gorbachev… Perimeter-free

Slide 66

Slide 66 text

10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN All hosts independently instrumented and configured Zero dependency on underlying network architecture No more VPN, all hosts communicate P2P-style Less complexity, higher availability, more secure ‘A collection of Internet hosts’ Perimeter-free

Slide 67

Slide 67 text

10/13/15 @evan2645 Thank you! Q&A RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF