security in high performance networks a practical view tony cataldo 5/19/04
TRANSCRIPT
Security in High Performance Networks
A Practical View
Tony Cataldo5/19/04
Page 2
Security is about Knowledge
Know your Business What failures are acceptable – Scope and Concurrency Know your Applications:
What they do How they do it Who wrote them – what are they based on How were they tested What were they tested for? –Load, Performance, Locality?
Know the Network More than the metrics like routers, switches & locations Architecture and Design – How do things route?
Where are un-routable packets coming from & going to? Ingress/Egress to the Public Internet and Supplier Networks
Is there a difference? Should there be a difference?
Page 3
Know what Business your Company is in…
Cars and Trucks
Design and Engineer Research Advanced Engineering CAD/CAM and CAE
Manufacturing Industrial Engineering Materials Scheduling and Logistics Shipping
Marketing and Sales Dealers Independently Owned Ad Campaigns and/or Web presence for all Brands
• Financing
• Service
All on a Global Basis
Page 4
What Makes a High Performance Network – Low?
Bad Protocols – What should/should not run on the Network
Bad Applications – Security is not an afterthought
Testing at the wrong time
Latency
Complexity
Knowing the difference between High-Availability, Disaster-Recovery, Business-Continuity, Robustness and Reliability
Bad Security – “Depth of Security” is important, but so is type: Router Access Control Lists’ Firewall Diversity and Placement Analyze the logs – Get a baseline, look for perturbations
Page 5
Some Scenarios – Some Tradeoffs
Public Internet Connectivity: Ford is a Global Company that requires low latency connectivity in its
major markets therefore we have Public Internet connections in Europe, US and Singapore. Tradeoff: Simplicity vs. Latency
The connectivity in the US is provided by four different ISP’s split between two US Data Centers. Tradeoff: Disaster Recovery and Robustness vs. Easy Routing to the Public Internet
Monolithic vs. Horizontal or Vertical Scaling Should the entrance to all Public Facing web sites have Firewall, Load-
Balancing and Routing in one pair of devices for performance reasons? Should Firewalls (weakest performance link) do deep-packet inspection
or just a “speed-bump” along the way? Know your Firewalls’ limits: Concurrent Connections, Connections/Sec.
and I/O limits. Thru-put under operating conditions.
Applications Oriented Security Most Common is Email Relays in/out with virus checking Reverse Proxy for selected web apps. But it becomes a slippery slope
when caching, load-balancing and TCP flow optimization is considered. SSL/VPN for selected apps but how to scale, up or across?
Page 6
Thank You