Identity-Defined Networking

Andrei Gurtov IDA, Linköping University

Erik Giesa, Marc Kaplan TemperedNetworks

TDDD17, LiU

Contents

Traditional Networking: Challenging and Complex

Identity-Defined Networking (IDN):A New Approach for Unified Secure Networking and Mobility

Host Identity Protocol (HIP)

Centralized Orchestration

Secure Networking Made Simple

Value From New Identity Networking Paradigm

Traditional Networking isComplex, Costly and Fragile

IT Intranet

Corporate Network

Cellular Network

Users

RemoteWorker

Site 1 Site 3

RemoteSite 4

Network & Security

Management

Data Center

RemoteVendor

IT Intranet

Data Center

Data Center

And is Simply Not Sustainable

VPN access controls for

each network

Fragile DNS and routing updates

for failover

Policies tied to IP addresses

Complex firewall and networking

rule sets

VLANs and access control lists

(ACLS) overhead

… per device

WAN / LAN

Remote Unmanaged Network Remote Site Managed Network

Corporate Network & Resources

Device 10 Device 11 Device 12192.168.10.10 192.168.10.11 192.168.10.12

Device 20 Device 21192.168.20.20 192.168.20.21

Device 30 Device 31 Device 32192.168.30.30 192.168.30.31 192.168.30.32

Problem: The Singular Root Defect that affects all IP security and networking

192.168.10.1

192.168.20.1 192.168.30.1

IP Addresses are used as Network and Device Identity• Hacker reconnaissance & fingerprinting via TCP/IP stack• Listening TCP/UDP service ports• All networking and security products use IP addresses for policy

Large Attack Surface • IP, TCP/UDP Attacks: every connected thing is an entry point• East / West lateral movement• ACLs and VLANs ≆ segmentation

Lack of Mobility and Instant Failover• Policies tied to IP - creates inflexible mobility• IP conflicts• DNS TTL and Routing Convergence Delays

Networking and Security Costs• Many distributed, complex VLAN, ACL, VPN, firewall policies• Controlling network routing• IPsec VPN cert management, connection limitations, failover issues• Expense of “next-gen” firewalls deployed on interior

• Field Technicians• Remote Employees

The Ideal Solution

Integrates networking and identity from the start

Provisions networks and resources rapidly

Allows instant segment, revoke, or quarantine

Can be easily managed from a centralized location

Identity-Defined Networking (IDN) –Unified Networking & SecuritySecurely connect any resource, anytime, anywhere.

C R Y P T O G R A P H I CI D E N T I T I E S

A U T O MA T E DO R C H E S T R AT I O N

S O F T W A R E - D E F I N E DS E G ME N T A T I O N

H O S T I D E N T I T YN A ME S P A C E

E N C R Y P T E D F A B R I C

D E V I C E - B A S E DT R U S T

Connect & protect resources globally

Unparalleled TCO

Dramatically reduced business risk

Controlled & verifiable access

Simple & provable compliance auditing

Host Identity Protocol (HIP)• Under development at Internet Engineering

Task Force (IETF) from 2004• Verizon, Ericsson, Boeing, …• HIPv2 is approved as IETF standard RFC7401 in

2015• My role:

• Co-chairing Host Identity Protocol Research Group at IRTF (2006-2010)

• Co-authoring HIP Experiment Report (RFC6538)

• White paper 2016 http://www.temperednetworks.com/resources/host-identity-protocol-dr-andrei-gurtov/

• Wiley book, 332p, 2008• Open-source code in HIPL, OpenHIP• Dozens of papers on various aspects of HIP

architecture

Identity-Defined Networking (IDN) at a Glance

Globally Unique and Locally Unique Identifiers

• Host Identity Tag (HIT)• Compatible with IPv6 address• Statistically unique• Probability of collisions is

negligible

• Local Scope Identity (LSI)• Compatible with IPv4 address• Probability of collisions is

significant• Restricted to local scope

10

Private Key

Public Key

128 Bit

32 Bit

One-wayHash

Last Digits

Host Identity

Host Identity Tag

Local Scope Identifier

IP

HIPIPsec

IP

HIP in the Communication Stack

11

TCP / UDP

HIP

HI

IPPayl

oad

Con

trol

Transport Layer

Network Layer

...

...

How IDN Fabric Overlays Existing Infrastructure

HIPserver

Application Server

Device B

HIPswich

ConductorServes as device identity authority where trust-based policies are

distributed to all HIP (Host Identity Protocol) Services

Device A

Public / Shared Network (Untrusted)

IDN-Fabric (Trusted)

Secure Networking Made Simple

Host Identity Namespace - Global IP Mobility

Dynamic Device-Based Traffic Management

Instant Failover

Automated (API-driven) or Manual Control

Prevent IP Address Spoofing and MiTM attacks

Assign IDN Endpoints and Networks an Identity

Encrypted Fabric Extends all the Way to IDN Endpoints

Global Orchestration and Network Provisioning

Trust-Based Unique Cryptographic Identities (CID)

The Cure to IT Complexity

Unified single-pane-of-glass management

Rapid point and click trust-based segmentation

Centralized governance, compliance, and policy enforcement

Build secure segmented networks instantly

Eliminate errors caused by complexity

Faster and most cost-effective failover

Simplified auditing and access control

Visual Orchestration Simplifies, Reduces Complexity & Errors Reduces OpEx as much as

90%

WAN / LAN

Device 10 Device 11 Device 12

192.168.10.10 192.168.10.11 192.168.10.12

Device 20 Device 21192.168.20.20 192.168.20.21

Device 30 Device 31 Device 32192.168.30.30 192.168.30.31 192.168.30.32

192.168.10.1

192.168.20.1

192.168.30.1

CLOAKED, SEGMENTED & MOBILE

PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED, & MOBILE

HIPswitch192.168.10.100

192.168.30.100• Field Technicians• Remote Employees

HIPclientLower Costs, Simpler Environment• CapEx and OpEx decrease• Eliminate or reduce interior “next-gen” firewalls, VPNs,

complex policies, ACLs, VLAN complexity, cert mngt

10.0.9.2

Conductor

A New Identity Networking Paradigm Made Simple

Remote Site Networks & Resources

Corporate Network & Resources

Unique Host Identity Approach • Host Identity Protocol (HIP): IETF ratified April 2015• True SDN overlay –little to no changes to network, security, or applications• Unshackles IP from serving as identity - frees IT from complexity• In production since 2006

Rapid Provisioning, Revocation, IP Mobility and Failover• Effortless segmentation & cloaking• One-click orchestration to connect, disconnect, move or failover any “thing”• Less than 1 second failover between any IDN endpoint• Build ID overlays (IDOs) on-demand based on situation

Significantly Reduced Attack Surface• No trust? No connectivity. No communication. No data.

• VLAN ”segmentation” traversal is now impossible.

• Based on explicit device trust- all systems are invisible

• 2048 bit Identity-Based connectivity, AES 256 encryption by default

The New Identity Networking ParadigmCreates Tremendous Value

25%

Increase in network and security team

productivity

97%

Reduce networking and resource

provisioning timeup to:

25%

Decrease IT CapEx and OpEx

costs up to:

100%

Make 100% of your connected IP resources invisible

The New Identity Networking ParadigmCreates Tremendous Value

25%

Improve time to mitigation,

revocation, and quarantine up to:

90%

Reduce attacksurface up to:

25%

Decrease failover and disaster

recovery times to as little as:

Reduce Deployment TimeBEFORE TEMPERED

Ticket submitted to Network IT for new resources addition to corporate network.

Design for Routing, Firewall, VPN, and Switching Policies

Design Submitted to InfoSec for review and approval

Approval of Designby InfoSec

Implementation of Design byNetwork Ops

Implementation Review and Sign-Off by InfoSec

Go Live!

Week 1

Week 2

Week 3

Week 4

Week 5

Week 6

Week 7

AFTER TEMPERED

Ticket submitted to Network IT for new resource.

Day 1

Resource added with explicit trust relationships, segmentation and encryption. Verified by InfoSec.

Deployment time

reduced by

97%

Increase Productivity

Increase in network and security team productivity

25% Focus on new network designs and policies that

improve quality of service, monitoring and uptime.

Spend time on what really matters instead of crawling through access logs, ACLs, and checking FW rules.

Nearly instantly provision and revoke new services, and verify/test disaster recovery and failover.

Decrease IT Expenditures

Decreased IT CapExand OpEx costs

25%Server

Firewall

Switch

VPN

HIPswitch

BEFORE TEMPERED AFTER TEMPERED

BEFORE TEMPERED

IT Intranet

Corporate Network

Cellular Network

Users

RemoteWorker

Site 1 Site 3

RemoteSite 4

Network & Security ManagementData Center

RemoteVendor

Make 100% of Connected IP Resources Invisible

Tempered Networks is the only technology based on the new identity networking paradigm enabled by the Host Identity Protocol (HIP).

No other solution on the market can cloak as effectively.

No other vendor can be deployed as easily across physical, virtual, and cloud networks.

Reduce Attack Surface

Up to:

90%

BEFORE TEMPERED AFTER TEMPERED

Improve Time to Mitigation, Revocation, and Quarantine

Time to mitigation, revocation, and quarantine is improved

By:

50% Revocation of any resource within the IDN

fabric is one click, or an automated API call, and happens instantly

The alternative is to check all VPNs, Firewalls rules, ACLs, and other policies to ensure that system is in fact quarantined or revoked

Decrease Failover and Disaster Recovery Time

Failover and Disaster Recovery times reduced to as little as

one millisecond.

To as little as:

1ms

Every IDN endpoint or HIP Service is based on unique host identities, therefor failover can be applied from an entire datacenter (represented as a unique host identity), or to a server (represented as a unique host identity).

If one goes down in the IDN fabric, a simple API automated or manual update to the mesh telling all things that are communicating to it, to failover instantly to it’s backup in another pre-defined IDO

USE CASE SECTION

“SEGMENTED (QUARANTINED) VENDOR NET”

“INSTANT DISASTER RECOVERY, REVOCATION & QUARANTINE”

“EFFORTLESS SEGMENTATION , ENCRYPTION, AND IP MOBILITY”

“NETWORK AND IP RESOURCE CLOAKING”

“NETWORK VIRTUALIZATION & ORCHESTRATION -

RAPID PROVISIONING”

Use Cases

“SECURE MACHINE TO MACHINE COMMUNICATION” “CLOAK AND PROTECT

LEGACY SYSTEMS”