secure networking simplified - data connectors...secure networking with a zero trust protocol open...
TRANSCRIPT
Secure NetworkingSimplified
Cal Jeffrey
Wireless MPLS Shared CampusCellular
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Internet / WAN
Products: VPNs, Firewalls, Routers, Switches, NAC, Cell Modems etc.
Configurations: ACLs, Certificates, Firewall Rules, IPSec Tunnels, Port Management etc.
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Traditional Networking and Security
Complex, costly, fragile, & porous
Device A Device B
Device A
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Device B
Internet / WAN
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Traditional Networking and Security At Scale
Complex, costly, fragile, & porous
SSH KeysCertificatesACLsFW Rules
SSH KeysCertificatesACLsFW Rules
NATSSH KeysCertificates
NATSSH KeysCertificates
VPNsFW Rules
ACLSVLANS
VPNsFW Rules
ACLSVLANS SSH Keys
Certificates
SSH KeysCertificates
VPNsFW Rules
ACLSVLANS
VPNsFW Rules
ACLSVLANS
interface gigabitethernet 0/3nameif dmzsecurity-level 50ip address 192.168.2.1 255.255.255.0no shutdown
same-security-traffic permit inter-interfaceroute outside 0 0 209.165.201.1 1nat(dept1) 1 10.1.1.0 255.255.255.0nat(dept2) 1 10.1.2.0 255.255.255.0router rip
network 10.0.0.0default information originateversion 2
ssh 209.165.200.225 255.255.255.255 outsidelogging trap 5
VPN and Firewall Rules
VLAN Rules
Router>enableRouter>#configure terminalRouter(config)#hostname CORPISP(config)#interface serial 0/0/0CORP(config-if)#description link to ISPCORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdownCORP(config)#interface fastethernet 0/1CORP(config-if)#description link to 3560 SwitchCORP(config-if)#ip address 172.31.1.5 255.255.255.252CORP(config-if)#no shutdown
interface gigabitethernet 0/3nameif dmzsecurity-level 50ip address 192.168.2.1 255.255.255.0no shutdown
same-security-traffic permit inter-interfaceroute outside 0 0 209.165.201.1 1nat(dept1) 1 10.1.1.0 255.255.255.0nat(dept2) 1 10.1.2.0 255.255.255.0router rip
network 10.0.0.0default information originateversion 2
ssh 209.165.200.225 255.255.255.255 outsidelogging trap 5
VPN and Firewall Rules
VLAN Rules
Router>enableRouter>#configure terminalRouter(config)#hostname CORPISP(config)#interface serial 0/0/0CORP(config-if)#description link to ISPCORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdownCORP(config)#interface fastethernet 0/1CORP(config-if)#description link to 3560 SwitchCORP(config-if)#ip address 172.31.1.5 255.255.255.252CORP(config-if)#no shutdown
interface gigabitethernet 0/3nameif dmzsecurity-level 50ip address 192.168.2.1 255.255.255.0no shutdown
same-security-traffic permit inter-interfaceroute outside 0 0 209.165.201.1 1nat(dept1) 1 10.1.1.0 255.255.255.0nat(dept2) 1 10.1.2.0 255.255.255.0router rip
network 10.0.0.0default information originateversion 2
ssh 209.165.200.225 255.255.255.255 outsidelogging trap 5
VPN and Firewall Rules
VLAN Rules
Router>enableRouter>#configure terminalRouter(config)#hostname CORPISP(config)#interface serial 0/0/0CORP(config-if)#description link to ISPCORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdownCORP(config)#interface fastethernet 0/1CORP(config-if)#description link to 3560 SwitchCORP(config-if)#ip address 172.31.1.5 255.255.255.252CORP(config-if)#no shutdown
Secure Networking With A Zero Trust Protocol
Open standard delivers native network security and IP mobility
Application (L5-L7)
Transport (L4)
Network (L3)
Link & Data (L1-L2)
IP ADDRESS: Port
IP ADDRESS: Port
IP Address
MAC Address
TCP/IP BASED NETWORKSNetworks based on non-verifiable IP
UNTRUSTED
Application (L5-L7)
Transport (L4)
HOST IDENTITY (L3.5)
Network (L3)
Link & Data (L1-L2) MAC Address
IP Address
HOST IDENTITY PROTOCOL
HOST IDENTITY TAG: Port
HOST IDENTITY TAG: Port
HIP BASED NETWORKSNetworks based on verifiable device identity
TRUSTED
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Identity Defined Networking (IDN) Platform
Secure and Segmented Peer-to-Peer Connectivity for Any Device, in Any Location
Your Existing Network
IDN Overlay Networking Fabric
Internet / WAN
Device A Device BHIPswitch 150 HIPswitch 150
Native Peer-to-Peer Encryption
The IDN Platform
The Conductor
HIPrelay
IDN OrchestrationThe Conductor
Simple network management with automated policy configuration for all trusted IDN endpoints
IDN Enforcement PointsHIP Services
Runs on or adjacent to any host and acts as the IDN enforcement point for network and security policy
IDN RoutingHIPrelay
Identity-based router delivering peer-to-peer connectivity between private or previously non-routable endpoints
Cloud HIPswitchHIPswitchHardware
HIPserver HIPclientVirtual HIPswitch
HIP Services: IDN Enforcement Points
Platform and Transport Ubiquity – A Single Platform Available for All Environments
Clients Servers
CloudsHypervisors
Appliances
HIPswitch 150HIPswitch 75
HIPswitch 500HIPswitch 250
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Core Switch/Router
Edge Firewall/
VPN
InternalFirewall
Edge Router
Managed Switch/Router
Identity Defined Networking (IDN) Platform
Control Plane Data Plane
ConductorIdentity Orchestration
HIPrelayIdentity Routing
Device A Device BHIPswitch 150 HIPswitch 150
Internet / WAN
What Our Customers Experience
Objectives
▪ High communications costs
▪ Expensive fork-list upgrades for legacy systems
▪ Costly and time-consuming audits
Reduce Costs
Connect and Collect Data Faster
Reduce Risk and Attack Surface
Improve Network Availability and Performance
Business Challenges
▪ Avoid public relations nightmare
▪ Decrease insurance liability
▪ Complicated deployment hinders time-to-value
▪ Getting better business intelligence
▪ Limited supply of experienced net/sec experts
▪ Downtime impacts customers and operations
▪ Meeting Service Level Agreements (SLA’s)
▪ Avoiding service provider lock-in
Penn State University Before Zero Trust Segmentation
HVACServers
Building Access
CameraNVR Lighting
Campus Data Center
Cloud
BioMedResearchBuilding
Student Housing
Cameras
HVAC Systems Lighting
Building Access
Employees
3rd PartyTechnicians
Internet / WAN
• 640+ buildings distributed statewide
• Shared Layer 2 network controlled by IT
• 1000’s of open data jacks per building
• Small OT network staff
• 100’s of 3rd party contractors / vendors
• Immovable deadline (fall semester)
Environment
• No isolation / segmentation
• BAS unprotected (discoverable / accessible)
• Exposed to thousands of attack vectors
• Outages caused by frequent IT changes
• Broadcast storms caused by vendors
• Expensive, fragile, and still vulnerable
Technical Challenges
Students Faculty
3rd PartyTechnicians
Research Servers
?
DR Data Center
IT Servers
Students Guests
Data Jacks
Managed Switch
EdgeRouter
EdgeFirewall
VPN
Cellular Modem
InternalFirewall
Cameras
HVAC Systems Lighting
Building Access
Building Automation Systems (BAS) Network
HVAC Building Access
Cameras
HVAC
Building Access
Cameras
HVAC Lighting
Building Access
Internet / WAN
ConductorIdentity Orchestration
Employees
Remote Technicians
HIPrelayIdentity Routing
HIPservers
HIPswitch 150
Lighting
• Segmented and private overlay network
• BAS systems undiscoverable / inaccessible
by unauthorized systems
• Reduced attack vectors by 90%+
• Eliminated downtime and broadcast storms
• Reduced alarms by 50%
• Eliminated / simplified edge firewall rules
• Accelerated deployment by 10 x for ¼ of cost
• Replaced IP complexity chain products
Benefits
BioMedResearchBuilding
StudentHousing
CameraNVR
Lighting
HIPswitch for Cloud
CloudDR
Campus Data Center
HIPclients
Penn State University After Zero Trust SegmentationOverlay Network Segments for Building Automation Systems (BAS)
HIPswitch 150
Traditional IT =Products: VPNs, Firewalls, Switches, NAC, Cell Modems etc.Configurations: ACLs, Certificates, Firewall Rules, IPSec Tunnels, Port Management etc.
Penn State University After Zero Trust Segmentation
Network, Segment, and Protect Building Automation Systems for 640+ Buildings
Rockwell
Admins Vendor DMZ
Rockwell VLAN
SCADA NET
Remote Area 1
Wifi
Siemens VLAN
GE VLAN
Siemens
Admins
GE Admins
Remote Area 2
Remote Area N
Corporate
Everything
Users
Applications Services Database
Vendor-Net (Manufacturing Example)
Conductor
Vendor Net (Trust Detail)
Rockwell
Admins Vendor DMZ
SCADA NET
Remote Area 1
Wifi
Siemens
Admins
GE Admins
Remote Area 2
Remote Area N
Corporate
Everything
Users
Applications Services Database
Vendor-Net (HIP Enabled Clients)
HIPclient
HIPclient
HIPrelay
Conductor
Public
Roaming
Services Storage
Remote Branch
HIP Relay
Conductor
Wi-Fi
Remote BranchWAN / MPLS
Data Center
Data CenterWAN / MPLS
Services Storage
Cloud Services
Cloud Services
Orchestration
Dual Cell
VendorsDevelpersAdminsUsers
HIP Relay
Services Storage
Flow Description
When HIP Services need to communicate, the policy defined on the conductor will be validated by both the HIPrelay and associated HIPservices , ensuring that peers are allowed to route through the specified HIP Relay cluster.
After policy is validated, HIP Relays will transparently connect HIP Tunnels between peer HIPservices ensuring end-2-end encryption is unaltered.
- The HIP Services will connect to peers based on their Crypto-ID. The Relay simply facilitates a connection bridge to the remote HIPservices, removing the requirement of Inbound initiated connections and a public IP’s at the Edge.
- The HIP Relay(s) add an extra layer of validation by tracking both SPI’s and SA’s. In the case where a peer isn’t allowed to connect, the Relay will drop all requests from the unauthorized HIP service This ensures that HIP peers will never receive the invalid requests.
- Both Hybrid and traditional network deployment architectures are supported with Relay deployments.
- None of the HIP Services, including Relay(s), have listening tcp/udpports. They will only respond to valid crypt-id’s and the hand-shake happens below the Transport Layer.
- The assets/services are not visible or routable outside of the Encrypted overlays . Nothing can see or connect to these assets without a valid HIP service Crypto-ID
Data Center 1
Remote Locations
Location 1
NOC
Location 2
Location 3
Routed WAN
MPLS
Layer2 – Layer3 Secure Segmentation
Data Center 2
SIEM Services Database
VLAN 10 – 10.10.10.0/24
VLAN 20 – 10.10.20.0/24
VLAN 10
10.10.10.0/24
VLAN 20
10.10.20.0/24
VLAN 30
10.10.30.0/24
Wifi
Corporate Network
Users
Applications Services Database
Conductor
Roaming Laptops
On Demand HIP Tunnels
Managed Switch
EdgeRouter
EdgeFirewall
VPN
Wi-Fi Client AP
InternalFirewall
Peace Health Before Zero Trust SegmentationHospital and Clinic Network
VDIFarm
Infusion PumpMaster Servers
MRI/PACs Servers
PaymentServers
Health IT Data Center
Hospital 1
Clinic 2
RemoteClinicians
RemotePhysicians
Internet / WAN
Infusion Pumps
Epic Printers
MRIsPhysicians
Entry Level
1st Floor
2nd Floor
3rd Floor
Gate Controls
Cafeteria Payments
HVACSystems
PatientIntake
Patient Monitors
BuildingControls
PACs Systems
EMRServers
Nurses Station
Physicians
Epic Printers
• 10 hospitals and 75 clinics
• Mixed Layer 2/3 network
• Juniper firewalls used for “segmentation”
• ~50,000 wired an wi-fi medical devices
• Acquiring clinics; rural with legacy systems
• High staff / medical device mobility
Environment
• No isolation / segmentation
• Medical devices (discoverable / accessible)
• Recognition that patient safety is at risk
• Exposed to thousands of attack vectors
• Complexity chain provisioning slow / porous
• Expensive, fragile, and still vulnerable
Impact
Epic Printers
MRI/PACs Servers
BuildingControls
TicketingSystems
Gift ShopSystems
EKGSmartBeds
MRI/PACs Servers
Peace Health After Zero Trust SegmentationOverlay Network Segments for Hospital and Clinic Network
• Segmented and private overlay networks
• Med devices undiscoverable / inaccessible
by unauthorized systems
• Reduced attack vectors by 90%+
• Telecom savings projected to be significant
• Eliminated Juniper firewalls
• Accelerated deployment by 10 x for ¼ of cost
Benefits
Internet / WAN
Hospital 1
Epic Printers
MRIsPhysicians
Entry Level
1st Floor
2nd Floor
Cafeteria Payments
Patient Monitors
Nurses Station
TicketingSystems
Gift ShopSystems
EKG
Infusion PumpMaster Servers
MRI/PACs Servers
PaymentServers
Clinic 2
RemoteClinicians
RemotePhysicians
Epic Printers
Infusion Pumps
Health IT Data Center
Physicians
ConductorIdentity Orchestration
HIPrelayIdentity Routing
HIPswitch 150
HIPswitch 500
HIPswitch 500
HIPswitch 500
HIPclients
HIPservers
Corporate Data Center
Crew
Vendor Technicians
• Floating city
• Shared Layer 2/3 network
• Cisco firewalls/networking for
“segmentation”
• Thousands of IIoT endpoints
• Dry dock equals lost revenue
• Thousands of guests and crew
Environment
• No isolation / segmentation
• Critical systems exposed (nav, ballast, props)
• Complex and costly to maintain
• Exposed to thousands of attack vectors
• Complexity chain provisioning slow / porous
• Expensive, fragile, and still vulnerable
Impact
Cruise Ship Before Zero Trust SegmentationShipboard Network
FireCamera
NVRNavigation WaterPropulsion
PaymentSystems
Internet / WAN
Managed Switch
EdgeRouter
EdgeFirewall
VPN
Wi-Fi Client AP
InternalFirewall
Ship 1
Servers
RestaurantSystems
GuessAccess
BridgeControls
CrewAccess
CamerasGift ShopSystems
DutyStation
Navigation
HMI
FireSensors
WaterSystems
WasteWater
BallastController
BarPayments
HVACSensors
PropulsionSystems
NavigationSensors
GuestAccess
FireController
DutyStation
Lighting
Corporate Data Center
Crew
Vendor Technicians
FireNavigation WaterPropulsionPaymentSystems
Internet / WAN
Gift ShopSystems
DutyStation
FireSensors
WaterSystems
WasteWater
BallastController
BarPayments
HVACSensors
NavigationSensors
FireController
DutyStation
Lighting
Cruise Line After Zero Trust SegmentationOverlay Network Segments for Shipboard Network
BridgeControls
PropulsionSystems
Ship 1
Navigation
HIPclients
HIPservers
ConductorIdentity Orchestration
HIPrelayIdentity Routing
HIPswitch150
HIPswitch150
HIPswitch150
• Isolation / segmentation of all ship controls
• Eliminate east / west / north / south attack
vectors
• Shipboard controls cloaked / invisible
• No dry dock, no lost revenue
• Eliminated IP conflicts
• Segmented vendor access
• Deploy 10 x faster at 30th of cost
Benefits
Thank You!
Appendix
Build a Zero Trust IoT/Hybrid Cloud Network in 2 minutes
Install HIP services, add devices to your overlay, create policy