Identity-Defined Networking Andrei Gurtov IDA, Linköping University Erik Giesa, Marc Kaplan TemperedNetworks TDDD17, LiU
Contents Traditional Networking: Challenging and Complex Identity-Defined Networking (IDN): A New Approach for Unified Secure Networking and Mobility Host Identity Protocol (HIP) Centralized Orchestration Secure Networking Made Simple Value From New Identity Networking Paradigm
Traditional Networking is Complex, Costly and Fragile Network & Data Center Data Center Users Security Management Remote Cellular IT Intranet IT Intranet Network Vendor Remote Remote Worker Site 4 Data Center Corporate Network Site 1 Site 3
And is Simply Not Sustainable Policies tied to VPN access Complex firewall VLANs and access Fragile DNS and controls for and networking control lists routing updates IP addresses each network for failover rule sets (ACLS) overhead … per device
Problem: The Singular Root Defect Corporate Network & Resources that affects all IP security and networking IP Addresses are used as Network and Device Identity Device 10 Device 11 Device 12 • Hacker reconnaissance & fingerprinting via TCP/IP stack 192.168.10.10 192.168.10.11 192.168.10.12 Listening TCP/UDP service ports • • All networking and security products use IP addresses for policy 192.168.10.1 Large Attack Surface • IP, TCP/UDP Attacks: every connected thing is an entry point • East / West lateral movement ACLs and VLANs ≆ segmentation • WAN / LAN Lack of Mobility and Instant Failover Policies tied to IP - creates inflexible mobility • • IP conflicts 192.168.30.1 192.168.20.1 • DNS TTL and Routing Convergence Delays • Field Technicians Networking and Security Costs • Remote Employees • Many distributed, complex VLAN, ACL, VPN, firewall policies • Controlling network routing IPsec VPN cert management, connection limitations, failover issues • • Expense of “next-gen” firewalls deployed on interior Device 30 Device 31 Device 32 Device 20 Device 21 192.168.30.30 192.168.30.31 192.168.30.32 192.168.20.20 192.168.20.21 Remote Unmanaged Network Remote Site Managed Network
The Ideal Solution Integrates networking and identity from the start Can be easily managed from a centralized location Provisions networks and resources rapidly Allows instant segment, revoke, or quarantine
Identity-Defined Networking (IDN) – Unified Networking & Security Securely connect any resource, anytime, anywhere. S O F T W A R E -D E F I N E D H O S T I D E N T I T Y D E V I C E - B A S E D S E G ME N T A T I O N N A ME S P A C E T R U ST Connect & protect resources globally C R Y P T O G R A P H I C A U T O MA T E D E N C R Y P T ED I D E N T I T I E S O R C H E ST R AT I ON F A B R I C Unparalleled TCO Dramatically reduced business risk Controlled & verifiable access Simple & provable compliance auditing
Host Identity Protocol (HIP) • Under development at Internet Engineering Task Force (IETF) from 2004 • Verizon, Ericsson, Boeing, … • HIPv2 is approved as IETF standard RFC7401 in 2015 • My role: • Co-chairing Host Identity Protocol Research Group at IRTF (2006-2010) • Co-authoring HIP Experiment Report (RFC6538) • White paper 2016 http://www.temperednetworks.com/resource s/host-identity-protocol-dr-andrei-gurtov/ • Wiley book, 332p, 2008 • Open-source code in HIPL, OpenHIP • Dozens of papers on various aspects of HIP architecture
Identity-Defined Networking (IDN) at a Glance
Globally Unique and Locally Unique Identifiers Private Key • Host Identity Tag (HIT) Public Key Host Identity • Compatible with IPv6 address • Statistically unique One-way Hash • Probability of collisions is negligible Host Identity Tag 128 Bit Last Digits • Local Scope Identity (LSI) • Compatible with IPv4 address Local Scope Identifier 32 Bit • Probability of collisions is significant • Restricted to local scope 10
HIP in the Communication Stack ... TCP / UDP Transport Layer HI HIP IPsec HIP Payload IP IP Control IP Network Layer ... 11
How IDN Fabric Overlays Existing Infrastructure Conductor Serves as device identity authority where trust-based policies are distributed to all HIP (Host Identity Protocol) Services HIPserver HIPswich Application Server Device A Device B IDN-Fabric (Trusted) Public / Shared Network (Untrusted)
Secure Networking Made Simple Global Orchestration and Trust-Based Unique Network Provisioning Cryptographic Identities (CID) Host Identity Namespace - Global IP Mobility Prevent IP Address Spoofing and MiTM attacks Dynamic Device-Based Traffic Management Assign IDN Endpoints and Networks an Identity Instant Failover Encrypted Fabric Extends all the Way to IDN Endpoints Automated (API-driven) or Manual Control
The Cure to IT Complexity Visual Orchestration Simplifies, Reduces OpEx as much as Reduces Complexity & Errors 90% Unified single-pane-of-glass management Build secure segmented networks instantly Rapid point and click trust-based segmentation Eliminate errors caused by complexity Centralized governance, compliance, and Faster and most cost-effective failover policy enforcement Simplified auditing and access control
A New Identity Networking Paradigm CLOAKED, SEGMENTED & MOBILE Made Simple Corporate Network & Resources Unique Host Identity Approach Device 10 Device 11 Device 12 • Host Identity Protocol (HIP): IETF ratified April 2015 • True SDN overlay –little to no changes to network, security, or applications 192.168.10.10 192.168.10.11 192.168.10.12 Unshackles IP from serving as identity - frees IT from complexity • Conductor HIPswitch • In production since 2006 192.168.10.100 Rapid Provisioning, Revocation, IP Mobility and Failover 192.168.10.1 • Effortless segmentation & cloaking • One-click orchestration to connect, disconnect, move or failover any “thing” • Less than 1 second failover between any IDN endpoint 10.0.9.2 WAN / LAN • Build ID overlays (IDOs) on-demand based on situation Significantly Reduced Attack Surface • No trust? No connectivity. No communication. No data. 192.168.20.1 • VLAN ”segmentation” traversal is now impossible. 192.168.30.1 • Based on explicit device trust- all systems are invisible • Field Technicians 192.168.30.100 2048 bit Identity-Based connectivity , AES 256 encryption by default • • Remote Employees Lower Costs, Simpler Environment HIPclient • CapEx and OpEx decrease • Eliminate or reduce interior “next-gen” firewalls, VPNs, Device 20 Device 21 Device 30 Device 31 Device 32 complex policies, ACLs, VLAN complexity, cert mngt 192.168.20.20 192.168.20.21 192.168.30.30 192.168.30.31 192.168.30.32 Remote Site Networks & Resources PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED, & MOBILE
The New Identity Networking Paradigm Creates Tremendous Value Reduce networking Increase in network Decrease IT Make 100% of and resource and security team CapEx and OpEx your connected IP provisioning time productivity costs up to: resources invisible up to: 97% 25% 25% 100%
The New Identity Networking Paradigm Creates Tremendous Value Improve time to Decrease failover Reduce attack mitigation, and disaster surface up to: revocation, and recovery times to quarantine up to: as little as: 90% 25% 25%
Reduce Deployment Time BEFORE TEMPERED AFTER TEMPERED Week 7 Go Live! Deployment Implementation Review and Week 6 Sign-Off by InfoSec time Implementation of Design by reduced by Week 5 Network Ops Approval of Design Week 4 by InfoSec 97% Design Submitted to InfoSec Week 3 for review and approval Week 2 Design for Routing, Firewall, VPN, and Switching Policies Resource added with explicit trust Week 1 Ticket submitted to Network Ticket submitted to Network relationships, segmentation and IT for new resources addition IT for new resource. encryption. Verified by InfoSec. to corporate network. Day 1
Increase Productivity Focus on new network designs and policies that improve quality of service, monitoring and uptime. 25% Spend time on what really matters instead of crawling through access logs, ACLs, and checking FW rules. Nearly instantly provision and revoke new services, and verify/test disaster recovery and failover. Increase in network and security team productivity
Decrease IT Expenditures BEFORE TEMPERED AFTER TEMPERED 25% VPN Switch Decreased IT CapEx Firewall and OpEx costs Server HIPswitch
Make 100% of Connected IP Resources Invisible BEFORE TEMPERED Tempered Networks is the only Network & Security Users Data Center Management technology based on the new identity networking paradigm enabled by the Host Identity Protocol (HIP). Cellular Remote No other solution on the market can IT Intranet Network Vendor cloak as effectively. Remote Remote Worker Site 4 No other vendor can be deployed as Corporate easily across physical, virtual, and Network cloud networks. Site 1 Site 3
Reduce Attack Surface BEFORE TEMPERED AFTER TEMPERED Up to: 90%
Recommend
More recommend
