Security in High Performance Networks

A Practical View

Tony Cataldo5/19/04

Page 2

Security is about Knowledge

Know your Business What failures are acceptable – Scope and Concurrency Know your Applications:

What they do How they do it Who wrote them – what are they based on How were they tested What were they tested for? –Load, Performance, Locality?

Know the Network More than the metrics like routers, switches & locations Architecture and Design – How do things route?

Where are un-routable packets coming from & going to? Ingress/Egress to the Public Internet and Supplier Networks

Is there a difference? Should there be a difference?

Page 3

Know what Business your Company is in…

Cars and Trucks

Design and Engineer Research Advanced Engineering CAD/CAM and CAE

Manufacturing Industrial Engineering Materials Scheduling and Logistics Shipping

Marketing and Sales Dealers Independently Owned Ad Campaigns and/or Web presence for all Brands

• Financing

• Service

All on a Global Basis

Page 4

What Makes a High Performance Network – Low?

Bad Protocols – What should/should not run on the Network

Bad Applications – Security is not an afterthought

Testing at the wrong time

Latency

Complexity

Knowing the difference between High-Availability, Disaster-Recovery, Business-Continuity, Robustness and Reliability

Bad Security – “Depth of Security” is important, but so is type: Router Access Control Lists’ Firewall Diversity and Placement Analyze the logs – Get a baseline, look for perturbations

Page 5

Some Scenarios – Some Tradeoffs

Public Internet Connectivity: Ford is a Global Company that requires low latency connectivity in its

major markets therefore we have Public Internet connections in Europe, US and Singapore. Tradeoff: Simplicity vs. Latency

The connectivity in the US is provided by four different ISP’s split between two US Data Centers. Tradeoff: Disaster Recovery and Robustness vs. Easy Routing to the Public Internet

Monolithic vs. Horizontal or Vertical Scaling Should the entrance to all Public Facing web sites have Firewall, Load-

Balancing and Routing in one pair of devices for performance reasons? Should Firewalls (weakest performance link) do deep-packet inspection

or just a “speed-bump” along the way? Know your Firewalls’ limits: Concurrent Connections, Connections/Sec.

and I/O limits. Thru-put under operating conditions.

Applications Oriented Security Most Common is Email Relays in/out with virus checking Reverse Proxy for selected web apps. But it becomes a slippery slope

when caching, load-balancing and TCP flow optimization is considered. SSL/VPN for selected apps but how to scale, up or across?

Page 6

Thank You