Identity-Defined Networking. TDDD17, LiU

Transcription

1 Identity-Defined Networking Andrei Gurtov IDA, Linköping University Erik Giesa, Marc Kaplan TemperedNetworks TDDD17, LiU

2 Contents Traditional Networking: Challenging and Complex Identity-Defined Networking (IDN): A New Approach for Unified Secure Networking and Mobility Host Identity Protocol (HIP) Centralized Orchestration Secure Networking Made Simple Value From New Identity Networking Paradigm

3 Traditional Networking is Complex, Costly and Fragile Data Center Users Data Center Network & Security Management Remote Vendor IT Intranet IT Intranet Cellular Network Data Center Remote Worker Remote Site 4 Corporate Network Site 1 Site 3

4 And is Simply Not Sustainable Policies tied to IP addresses VPN access controls for each network Complex firewall and networking rule sets VLANs and access control lists (ACLS) overhead Fragile DNS and routing updates for failover per device

5 Problem: The Singular Root Defect that affects all IP security and networking Corporate Network & Resources IP Addresses are used as Network and Device Identity Hacker reconnaissance & fingerprinting via TCP/IP stack Listening TCP/UDP service ports All networking and security products use IP addresses for policy Large Attack Surface IP, TCP/UDP Attacks: every connected thing is an entry point East / West lateral movement ACLs and VLANs segmentation Lack of Mobility and Instant Failover Policies tied to IP - creates inflexible mobility IP conflicts DNS TTL and Routing Convergence Delays Networking and Security Costs Field Technicians Many distributed, complex VLAN, ACL, VPN, firewall policies Remote Employees Controlling network routing IPsec VPN cert management, connection limitations, failover issues Expense of next-gen firewalls deployed on interior Device 20 Device Device 10 Device 11 Device WAN / LAN Device 30 Device 31 Device Remote Unmanaged Network Remote Site Managed Network

6 The Ideal Solution Integrates networking and identity from the start Can be easily managed from a centralized location Provisions networks and resources rapidly Allows instant segment, revoke, or quarantine

7 Identity-Defined Networking (IDN) Unified Networking & Security Securely connect any resource, anytime, anywhere. Connect & protect resources globally Unparalleled TCO Dramatically reduced business risk Controlled & verifiable access Simple & provable compliance auditing CRYPTOGRAPHIC IDENTITIES SOFTWARE- DEFINED SEGMENTATION AUTOMATED ORCHESTRATION HOST IDENTITY NAMESPACE ENCRYPTED FABRIC DEVICE- BASED TRUST

8 Host Identity Protocol (HIP) Under development at Internet Engineering Task Force (IETF) from 2004 Verizon, Ericsson, Boeing, HIPv2 is approved as IETF standard RFC7401 in 2015 My role: Co-chairing Host Identity Protocol Research Group at IRTF ( ) Co-authoring HIP Experiment Report (RFC6538) White paper s/host-identity-protocol-dr-andrei-gurtov/ Wiley book, 332p, 2008 Open-source code in HIPL, OpenHIP Dozens of papers on various aspects of HIP architecture

9 Identity-Defined Networking (IDN) at a Glance

10 Globally Unique and Locally Unique Identifiers Host Identity Tag (HIT) Compatible with IPv6 address Statistically unique Probability of collisions is negligible Host Identity Host Identity Tag Private Key Public Key 128 Bit One-way Hash Local Scope Identity (LSI) Compatible with IPv4 address Probability of collisions is significant Restricted to local scope Local Scope Identifier 32 Bit Last Digits 10

11 HIP in the Communication Stack... HI TCP / UDP Transport Layer IPsec HIP HIP Payload IP IP IP Control Network Layer... 11

12 How IDN Fabric Overlays Existing Infrastructure Conductor Serves as device identity authority where trust-based policies are distributed to all HIP (Host Identity Protocol) Services HIPserver HIPswich Application Server Device A Device B IDN-Fabric (Trusted) Public / Shared Network (Untrusted)

13 Secure Networking Made Simple Global Orchestration and Network Provisioning Trust-Based Unique Cryptographic Identities (CID) Host Identity Namespace - Global IP Mobility Dynamic Device-Based Traffic Management Instant Failover Automated (API-driven) or Manual Control Prevent IP Address Spoofing and MiTM attacks Assign IDN Endpoints and Networks an Identity Encrypted Fabric Extends all the Way to IDN Endpoints

14 The Cure to IT Complexity Visual Orchestration Simplifies, Reduces Complexity & Errors Reduces OpEx as much as 90% Unified single-pane-of-glass management Rapid point and click trust-based segmentation Centralized governance, compliance, and policy enforcement Build secure segmented networks instantly Eliminate errors caused by complexity Faster and most cost-effective failover Simplified auditing and access control

15 A New Identity Networking Paradigm Made Simple Unique Host Identity Approach Host Identity Protocol (HIP): IETF ratified April 2015 True SDN overlay little to no changes to network, security, or applications Unshackles IP from serving as identity - frees IT from complexity In production since 2006 Rapid Provisioning, Revocation, IP Mobility and Failover Effortless segmentation & cloaking One-click orchestration to connect, disconnect, move or failover any thing Less than 1 second failover between any IDN endpoint Build ID overlays (IDOs) on-demand based on situation Significantly Reduced Attack Surface No trust? No connectivity. No communication. No data. VLAN segmentation traversal is now impossible. Based on explicit device trust- all systems are invisible 2048 bit Identity-Based connectivity, AES 256 encryption by default Lower Costs, Simpler Environment CapEx and OpEx decrease Eliminate or reduce interior next-gen firewalls, VPNs, complex policies, ACLs, VLAN complexity, cert mngt Field Technicians Remote Employees HIPclient Conductor Device 20 Device PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED & MOBILE Corporate Network & Resources Device 10 Device 11 Device WAN / LAN Device 30 Device 31 Device Remote Site Networks & Resources CLOAKED, SEGMENTED, & MOBILE HIPswitch

16 The New Identity Networking Paradigm Creates Tremendous Value Reduce networking and resource provisioning time up to: Increase in network and security team productivity Decrease IT CapEx and OpEx costs up to: Make 100% of your connected IP resources invisible 97% 25% 25% 100%

17 The New Identity Networking Paradigm Creates Tremendous Value Reduce attack surface up to: 90% Improve time to mitigation, revocation, and quarantine up to: 25% Decrease failover and disaster recovery times to as little as: 25%

18 Reduce Deployment Time BEFORE TEMPERED AFTER TEMPERED Week 7 Week 6 Week 5 Go Live! Implementation Review and Sign-Off by InfoSec Implementation of Design by Network Ops Deployment time reduced by Week 4 Approval of Design by InfoSec Week 3 Design Submitted to InfoSec for review and approval 97% Week 2 Design for Routing, Firewall, VPN, and Switching Policies Week 1 Ticket submitted to Network IT for new resources addition to corporate network. Ticket submitted to Network IT for new resource. Resource added with explicit trust relationships, segmentation and encryption. Verified by InfoSec. Day 1

19 Increase Productivity Focus on new network designs and policies that improve quality of service, monitoring and uptime. 25% Spend time on what really matters instead of crawling through access logs, ACLs, and checking FW rules. Increase in network and security team productivity Nearly instantly provision and revoke new services, and verify/test disaster recovery and failover.

20 Decrease IT Expenditures BEFORE TEMPERED AFTER TEMPERED VPN 25% Switch Firewall Decreased IT CapEx and OpEx costs Server HIPswitch

21 Make 100% of Connected IP Resources Invisible BEFORE TEMPERED Users Data Center Network & Security Management Tempered Networks is the only technology based on the new identity networking paradigm enabled by the Host Identity Protocol (HIP). IT Intranet Cellular Network Remote Vendor No other solution on the market can cloak as effectively. Remote Worker Remote Site 4 Corporate Network No other vendor can be deployed as easily across physical, virtual, and cloud networks. Site 1 Site 3

22 Reduce Attack Surface BEFORE TEMPERED AFTER TEMPERED Up to: 90%

23 Improve Time to Mitigation, Revocation, and Quarantine By: 50% Revocation of any resource within the IDN fabric is one click, or an automated API call, and happens instantly The alternative is to check all VPNs, Firewalls rules, ACLs, and other policies to ensure that system is in fact quarantined or revoked Time to mitigation, revocation, and quarantine is improved

24 Decrease Failover and Disaster Recovery Time To as little as: 1ms Every IDN endpoint or HIP Service is based on unique host identities, therefor failover can be applied from an entire datacenter (represented as a unique host identity), or to a server (represented as a unique host identity). If one goes down in the IDN fabric, a simple API automated or manual update to the mesh telling all things that are communicating to it, to failover instantly to it s backup in another pre-defined IDO Failover and Disaster Recovery times reduced to as little as one millisecond.

25 USE CASE SECTION

26 Use Cases SEGMENTED (QUARANTINED) VENDOR NET EFFORTLESS SEGMENTATION, ENCRYPTION, AND IP MOBILITY NETWORK VIRTUALIZATION & ORCHESTRATION - RAPID PROVISIONING SECURE MACHINE TO MACHINE COMMUNICATION NETWORK AND IP RESOURCE CLOAKING CLOAK AND PROTECT LEGACY SYSTEMS INSTANT DISASTER RECOVERY, REVOCATION & QUARANTINE