Identity-Defined NetworkingTDDD17/Lectures/Slides/Idn_tdd17.pdfHost Identity Protocol (HIP) ... •...
Transcript of Identity-Defined NetworkingTDDD17/Lectures/Slides/Idn_tdd17.pdfHost Identity Protocol (HIP) ... •...
Identity-Defined Networking
Andrei Gurtov IDA, Linköping University
Erik Giesa, Marc Kaplan TemperedNetworks
TDDD17, LiU
Contents
Traditional Networking: Challenging and Complex
Identity-Defined Networking (IDN):A New Approach for Unified Secure Networking and Mobility
Host Identity Protocol (HIP)
Centralized Orchestration
Secure Networking Made Simple
Value From New Identity Networking Paradigm
Traditional Networking isComplex, Costly and Fragile
IT Intranet
Corporate Network
Cellular Network
Users
RemoteWorker
Site 1 Site 3
RemoteSite 4
Network & Security
Management
Data Center
RemoteVendor
IT Intranet
Data Center
Data Center
And is Simply Not Sustainable
VPN access controls for
each network
Fragile DNS and routing updates
for failover
Policies tied to IP addresses
Complex firewall and networking
rule sets
VLANs and access control lists
(ACLS) overhead
… per device
WAN / LAN
Remote Unmanaged Network Remote Site Managed Network
Corporate Network & Resources
Device 10 Device 11 Device 12192.168.10.10 192.168.10.11 192.168.10.12
Device 20 Device 21192.168.20.20 192.168.20.21
Device 30 Device 31 Device 32192.168.30.30 192.168.30.31 192.168.30.32
Problem: The Singular Root Defect that affects all IP security and networking
192.168.10.1
192.168.20.1 192.168.30.1
IP Addresses are used as Network and Device Identity• Hacker reconnaissance & fingerprinting via TCP/IP stack• Listening TCP/UDP service ports• All networking and security products use IP addresses for policy
Large Attack Surface • IP, TCP/UDP Attacks: every connected thing is an entry point• East / West lateral movement• ACLs and VLANs ≆ segmentation
Lack of Mobility and Instant Failover• Policies tied to IP - creates inflexible mobility• IP conflicts• DNS TTL and Routing Convergence Delays
Networking and Security Costs• Many distributed, complex VLAN, ACL, VPN, firewall policies• Controlling network routing• IPsec VPN cert management, connection limitations, failover issues• Expense of “next-gen” firewalls deployed on interior
• Field Technicians• Remote Employees
The Ideal Solution
Integrates networking and identity from the start
Provisions networks and resources rapidly
Allows instant segment, revoke, or quarantine
Can be easily managed from a centralized location
Identity-Defined Networking (IDN) –Unified Networking & SecuritySecurely connect any resource, anytime, anywhere.
C R Y P T O G R A P H I CI D E N T I T I E S
A U T O MA T E DO R C H E S T R AT I O N
S O F T W A R E - D E F I N E DS E G ME N T A T I O N
H O S T I D E N T I T YN A ME S P A C E
E N C R Y P T E D F A B R I C
D E V I C E - B A S E DT R U S T
Connect & protect resources globally
Unparalleled TCO
Dramatically reduced business risk
Controlled & verifiable access
Simple & provable compliance auditing
Host Identity Protocol (HIP)• Under development at Internet Engineering
Task Force (IETF) from 2004• Verizon, Ericsson, Boeing, …• HIPv2 is approved as IETF standard RFC7401 in
2015• My role:
• Co-chairing Host Identity Protocol Research Group at IRTF (2006-2010)
• Co-authoring HIP Experiment Report (RFC6538)
• White paper 2016 http://www.temperednetworks.com/resources/host-identity-protocol-dr-andrei-gurtov/
• Wiley book, 332p, 2008• Open-source code in HIPL, OpenHIP• Dozens of papers on various aspects of HIP
architecture
Identity-Defined Networking (IDN) at a Glance
Globally Unique and Locally Unique Identifiers
• Host Identity Tag (HIT)• Compatible with IPv6 address• Statistically unique• Probability of collisions is
negligible
• Local Scope Identity (LSI)• Compatible with IPv4 address• Probability of collisions is
significant• Restricted to local scope
10
Private Key
Public Key
128 Bit
32 Bit
One-wayHash
Last Digits
Host Identity
Host Identity Tag
Local Scope Identifier
IP
HIPIPsec
IP
HIP in the Communication Stack
11
TCP / UDP
HIP
HI
IPPayl
oad
Con
trol
Transport Layer
Network Layer
...
...
How IDN Fabric Overlays Existing Infrastructure
HIPserver
Application Server
Device B
HIPswich
ConductorServes as device identity authority where trust-based policies are
distributed to all HIP (Host Identity Protocol) Services
Device A
Public / Shared Network (Untrusted)
IDN-Fabric (Trusted)
Secure Networking Made Simple
Host Identity Namespace - Global IP Mobility
Dynamic Device-Based Traffic Management
Instant Failover
Automated (API-driven) or Manual Control
Prevent IP Address Spoofing and MiTM attacks
Assign IDN Endpoints and Networks an Identity
Encrypted Fabric Extends all the Way to IDN Endpoints
Global Orchestration and Network Provisioning
Trust-Based Unique Cryptographic Identities (CID)
The Cure to IT Complexity
Unified single-pane-of-glass management
Rapid point and click trust-based segmentation
Centralized governance, compliance, and policy enforcement
Build secure segmented networks instantly
Eliminate errors caused by complexity
Faster and most cost-effective failover
Simplified auditing and access control
Visual Orchestration Simplifies, Reduces Complexity & Errors Reduces OpEx as much as
90%
WAN / LAN
Device 10 Device 11 Device 12
192.168.10.10 192.168.10.11 192.168.10.12
Device 20 Device 21192.168.20.20 192.168.20.21
Device 30 Device 31 Device 32192.168.30.30 192.168.30.31 192.168.30.32
192.168.10.1
192.168.20.1
192.168.30.1
CLOAKED, SEGMENTED & MOBILE
PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED, & MOBILE
HIPswitch192.168.10.100
192.168.30.100• Field Technicians• Remote Employees
HIPclientLower Costs, Simpler Environment• CapEx and OpEx decrease• Eliminate or reduce interior “next-gen” firewalls, VPNs,
complex policies, ACLs, VLAN complexity, cert mngt
10.0.9.2
Conductor
A New Identity Networking Paradigm Made Simple
Remote Site Networks & Resources
Corporate Network & Resources
Unique Host Identity Approach • Host Identity Protocol (HIP): IETF ratified April 2015• True SDN overlay –little to no changes to network, security, or applications• Unshackles IP from serving as identity - frees IT from complexity• In production since 2006
Rapid Provisioning, Revocation, IP Mobility and Failover• Effortless segmentation & cloaking• One-click orchestration to connect, disconnect, move or failover any “thing”• Less than 1 second failover between any IDN endpoint• Build ID overlays (IDOs) on-demand based on situation
Significantly Reduced Attack Surface• No trust? No connectivity. No communication. No data.
• VLAN ”segmentation” traversal is now impossible.
• Based on explicit device trust- all systems are invisible
• 2048 bit Identity-Based connectivity, AES 256 encryption by default
The New Identity Networking ParadigmCreates Tremendous Value
25%
Increase in network and security team
productivity
97%
Reduce networking and resource
provisioning timeup to:
25%
Decrease IT CapEx and OpEx
costs up to:
100%
Make 100% of your connected IP resources invisible
The New Identity Networking ParadigmCreates Tremendous Value
25%
Improve time to mitigation,
revocation, and quarantine up to:
90%
Reduce attacksurface up to:
25%
Decrease failover and disaster
recovery times to as little as:
Reduce Deployment TimeBEFORE TEMPERED
Ticket submitted to Network IT for new resources addition to corporate network.
Design for Routing, Firewall, VPN, and Switching Policies
Design Submitted to InfoSec for review and approval
Approval of Designby InfoSec
Implementation of Design byNetwork Ops
Implementation Review and Sign-Off by InfoSec
Go Live!
Week 1
Week 2
Week 3
Week 4
Week 5
Week 6
Week 7
AFTER TEMPERED
Ticket submitted to Network IT for new resource.
Day 1
Resource added with explicit trust relationships, segmentation and encryption. Verified by InfoSec.
Deployment time
reduced by
97%
Increase Productivity
Increase in network and security team productivity
25% Focus on new network designs and policies that
improve quality of service, monitoring and uptime.
Spend time on what really matters instead of crawling through access logs, ACLs, and checking FW rules.
Nearly instantly provision and revoke new services, and verify/test disaster recovery and failover.
Decrease IT Expenditures
Decreased IT CapExand OpEx costs
25%Server
Firewall
Switch
VPN
HIPswitch
BEFORE TEMPERED AFTER TEMPERED
BEFORE TEMPERED
IT Intranet
Corporate Network
Cellular Network
Users
RemoteWorker
Site 1 Site 3
RemoteSite 4
Network & Security ManagementData Center
RemoteVendor
Make 100% of Connected IP Resources Invisible
Tempered Networks is the only technology based on the new identity networking paradigm enabled by the Host Identity Protocol (HIP).
No other solution on the market can cloak as effectively.
No other vendor can be deployed as easily across physical, virtual, and cloud networks.
Reduce Attack Surface
Up to:
90%
BEFORE TEMPERED AFTER TEMPERED
Improve Time to Mitigation, Revocation, and Quarantine
Time to mitigation, revocation, and quarantine is improved
By:
50% Revocation of any resource within the IDN
fabric is one click, or an automated API call, and happens instantly
The alternative is to check all VPNs, Firewalls rules, ACLs, and other policies to ensure that system is in fact quarantined or revoked
Decrease Failover and Disaster Recovery Time
Failover and Disaster Recovery times reduced to as little as
one millisecond.
To as little as:
1ms
Every IDN endpoint or HIP Service is based on unique host identities, therefor failover can be applied from an entire datacenter (represented as a unique host identity), or to a server (represented as a unique host identity).
If one goes down in the IDN fabric, a simple API automated or manual update to the mesh telling all things that are communicating to it, to failover instantly to it’s backup in another pre-defined IDO
USE CASE SECTION
“SEGMENTED (QUARANTINED) VENDOR NET”
“INSTANT DISASTER RECOVERY, REVOCATION & QUARANTINE”
“EFFORTLESS SEGMENTATION , ENCRYPTION, AND IP MOBILITY”
“NETWORK AND IP RESOURCE CLOAKING”
“NETWORK VIRTUALIZATION & ORCHESTRATION -
RAPID PROVISIONING”
Use Cases
“SECURE MACHINE TO MACHINE COMMUNICATION” “CLOAK AND PROTECT
LEGACY SYSTEMS”