CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud Khalid Raza CTO & Co-Founder Viptela khalid@viptela.com Danny Johnson Director, Product Marketing Verizon daniel.johnson@verizonwireless.com
SD-WAN Architecture Orchestration vorchestrator Analytics Engine Monitoring Provisioning Management Plane Troubleshooting GUI Private Cloud vsmart Controller Secure Overlay Control plane Medical Device Printer Smart Phones Hospital MPLS Internet LTE Data Center Branch Office Wireless Laptop End-user Data Plane 2
Secure Control Plane Scale Security at Routing Scale Viptela Traditional Centralized control plane Extensible overlay management protocol for security parameters exchange O(N) complexity De-centralized control plane IKE and Diffie-Hellman for key exchange and security association establishment O(N^2) complexity 3
Viptela - Enabling the Next Generation Enterprise Architecture SD WAN I-IOT ANALYTICS CLOUD 3 rd party connectivity MANAGEMENT ORCHESTRATION vfabric USERS Any User/Device INTERNET CONTROL MPLS 4G Any Delivery DC IaaS SaaS APPs 3 rd Party 4 DATACENTER CAMPUS BRANCH HOME OFFICE
Case Study: 1200- site Bank Customer challenges: Deploy new high bandwidth video application, new revenue ($$) Headquarters Regional Offices Verizon Private IP Verizon Secure Cloud Interconnect Consumer Mobile devices Security requirements across lines of business Wifi, Geofencing Avoid application outages during network failures Data centers Digital signage How Verizon & Viptela helped: Managed SD-WAN solution with MPLS + Broadband + LTE at every location Cloud-managed overlay fabric with end-to-end security Isolated segments for each line of business Application policies with intelligent real-time steering Public internet Rapid deployment Retail branch 1200+ branches Time to Revenue ATM s and kiosks Video conferencing Security / Isolation of Assets App Outages Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Zero-Trust Security Principles Control Elements X.509 Certificate DTLS/TLS Control Tunnel 6
Dramatic Scale Key management Data traffic Control Plane vsmart Controller(s) IPSec Site 1 4G Site 2 MPLS INTERNET IPSec 7 Site 101 Site 100
Infrastructure DDoS Mitigation Routers Default Deny: All Allow: Specific IP/Port (provided by vbond) vsmart vbond vmanage CPU Remote Routers IPSec Default Deny: All Allow: Specific peers (provided by vsmart) Packet Forwarding Router Else 8 Default Deny: All Default Allow: ICMP, DNS, DHCP Manual Allow: SSH, NTP
Application Firewall Deep Packet Inspection vsmart Controllers IPSec Tunnel Data traffic Control Plane Match: Application Action: Drop/Allow Update Update Match: Application Action: Drop/Allow ACL Transports ACL Transports User Site Data Center Server App Fingerprinting 3,000 individual applications and protocols Application families App Fingerprinting 9
Stateful Network Services Network Service Insertion and Chaining Strong security posture - Regionalized stateful network service vsmart Controllers Multiple network services - Service chaining Update Update Update Transports Transports User Site Data Center Server Regional DC/Colo Control Plane IPSec Tunnel Network Service Nodes Data traffic 10
White-list Topologies 11